Custom Kaniko image (from Google’s debug variant) for Forgejo Actions: build & push container images in CI/CD by just setting env vars—no Docker daemon needed.
https://git.van-hemmen.com/actions/kaniko
Guillaume B.B. Van Hemmen
a719e4dfbc
This PR closes #4 by renaming the GitHub Actions variable from GITHUB_REF_NAME to GIT_REF_NAME, fixing secrets and artifact destination paths, and adding detailed logging of environment variables and build actions for easier troubleshooting. It also updates the Dockerfile to run installation steps as root but switches to a non-root user for runtime, and replaces the shell with a strictly POSIX-compliant variant to improve portability and security. Reviewed-on: #5 Co-authored-by: Guillaume B.B. Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com> Co-committed-by: Guillaume B.B. Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com> |
||
|---|---|---|
| .forgejo/workflows | ||
| build.sh | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
kaniko (action)
Custom Kaniko image (forked from Google’s gcr.io/kaniko-project/executor:debug) for Forgejo Actions.
Build & push OCI-compatible container images in your pipelines without a Docker daemon. Just set a few environment variables.
Highlights
| Feature | Benefit |
|---|---|
| Daemon-less builds | Works in completely rootless, container-only environments |
| Debug base | Includes /shell & common tools for troubleshooting |
| Registry-agnostic | Push to Docker Hub, GHCR, Harbor, Quay, Google Artifact Registry, etc. |
| Small wrapper script | Autodetects credentials and common env-var combos |
Image tags
| Tag | Base | Intended use |
|---|---|---|
latest |
Google debug executor |
General CI pipelines |
Quick start
# .forgejo/workflows/build.yaml
name: Build & push image
on:
push:
branches: [ main ]
jobs:
build:
runs-on: docker
container:
image: git.van-hemmen.com/actions/kaniko:latest
steps:
- name: Build & push with Kaniko
env:
# --- mandatory --------------------------------------------------------
KANIKO_CONTEXT: git://git.van-hemmen.com/actions/kaniko.git
GIT_REF_NAME: ${{ github.ref_name }}
GIT_USERNAME: ${{ secrets.docker_username }}
GIT_PASSWORD: ${{ secrets.access_token }}
# --- optional (only needed when you plan to push) ---------------------
REGISTRY_HOST: ghcr.io
REGISTRY_USER: ${{ secrets.docker_username }}
REGISTRY_PASS: ${{ secrets.access_token }}
KANIKO_DESTINATION: git.van-hemmen.com/myorg/myapp:${GITHUB_SHA}
# --- fine-tuning ------------------------------------------------------
KANIKO_DOCKERFILE: ./Dockerfile
KANIKO_VERBOSITY: info
Environment variables
| Variable | Required | Purpose | Example value |
|---|---|---|---|
KANIKO_CONTEXT |
Yes | Build context (git://). |
git://git.van-hemmen.com/actions/kaniko.git |
GIT_REF_NAME |
Yes | Branch or tag that is being built. | ${{ github.ref_name }} |
GIT_USERNAME |
Yes | Username with access to KANIKO_CONTEXT when it is private. |
${{ secrets.GIT_USERNAME }} |
GIT_PASSWORD |
Yes | Token/password paired with GIT_USERNAME. |
${{ secrets.GIT_PASSWORD }} |
REGISTRY_HOST |
No (default git.van-hemmen.com) |
Target registry hostname. | ghcr.io |
REGISTRY_USER |
No* | Registry username. Enables push only if both REGISTRY_USER and REGISTRY_PASS are set. |
${{ secrets.REGISTRY_USER }} |
REGISTRY_PASS |
No* | Registry password/token. | ${{ secrets.REGISTRY_PASS }} |
KANIKO_DESTINATION |
No | Comma-separated list of image references to push (variables like ${{ github.sha }} are expanded). |
ghcr.io/myorg/app:${{ github.sha }},ghcr.io/myorg/app:latest |
KANIKO_DOCKERFILE |
No (default ./Dockerfile) |
Path to the Dockerfile relative to the context. | ./docker/Dockerfile.alpine |
KANIKO_VERBOSITY |
No (default info) |
Log level (trace, debug, info, warn, error, fatal, panic). |
debug |
* REGISTRY_USER / REGISTRY_PASS are only needed when the registry requires authentication.