actions/kaniko
actions/kaniko
1
0
Fork 0
Code Issues Pull requests Releases Packages1 Activity Actions
kaniko/README.md
Guillaume B.B. Van Hemmen a719e4dfbc - CI pipeline & Dockerfile hardening: env var rename, extended logging, POSIX shell, privilege drop () 
This PR closes  by renaming the GitHub Actions variable from GITHUB_REF_NAME to GIT_REF_NAME, fixing secrets and artifact destination paths, and adding detailed logging of environment variables and build actions for easier troubleshooting. It also updates the Dockerfile to run installation steps as root but switches to a non-root user for runtime, and replaces the shell with a strictly POSIX-compliant variant to improve portability and security.

Reviewed-on: 
Co-authored-by: Guillaume B.B. Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com>
Co-committed-by: Guillaume B.B. Van Hemmen <GuillaumeHemmen@noreply.git.van-hemmen.com>
2025-05-19 11:31:45 +00:00

81 lines
3.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# kaniko (action)
![CI](https://git.van-hemmen.com/actions/kaniko/actions)
![License](https://img.shields.io/github/license/actions/kaniko)
Custom **Kaniko** image (forked from Googles `gcr.io/kaniko-project/executor:debug`) for Forgejo Actions.
Build & push OCI-compatible container images in your pipelines **without** a Docker daemon. Just set a few environment variables.
---
## Highlights
| Feature | Benefit |
|---------|---------|
| **Daemon-less builds** | Works in completely rootless, container-only environments |
| **Debug base** | Includes `/shell` & common tools for troubleshooting |
| **Registry-agnostic** | Push to Docker Hub, GHCR, Harbor, Quay, Google Artifact Registry, etc. |
| **Small wrapper script** | Autodetects credentials and common env-var combos |
---
## Image tags
| Tag | Base | Intended use |
|-----|------|--------------|
| `latest` | Google `debug` executor | General CI pipelines |
---
## Quick start
```yaml
# .forgejo/workflows/build.yaml
name: Build & push image
on:
push:
branches: [ main ]
jobs:
build:
runs-on: docker
container:
image: git.van-hemmen.com/actions/kaniko:latest
steps:
- name: Build & push with Kaniko
env:
# --- mandatory --------------------------------------------------------
KANIKO_CONTEXT: git://git.van-hemmen.com/actions/kaniko.git
GIT_REF_NAME: ${{ github.ref_name }}
GIT_USERNAME: ${{ secrets.docker_username }}
GIT_PASSWORD: ${{ secrets.access_token }}
# --- optional (only needed when you plan to push) ---------------------
REGISTRY_HOST: ghcr.io
REGISTRY_USER: ${{ secrets.docker_username }}
REGISTRY_PASS: ${{ secrets.access_token }}
KANIKO_DESTINATION: git.van-hemmen.com/myorg/myapp:${GITHUB_SHA}
# --- fine-tuning ------------------------------------------------------
KANIKO_DOCKERFILE: ./Dockerfile
KANIKO_VERBOSITY: info
```
## Environment variables
| Variable | Required | Purpose | Example value |
|----------|----------|---------|----------------------------------------------------------------|
| `KANIKO_CONTEXT` | **Yes** | Build context (`git://`). | `git://git.van-hemmen.com/actions/kaniko.git` |
| `GIT_REF_NAME` | **Yes** | Branch or tag that is being built. | `${{ github.ref_name }}` |
| `GIT_USERNAME` | **Yes** | Username with access to `KANIKO_CONTEXT` when it is private. | `${{ secrets.GIT_USERNAME }}` |
| `GIT_PASSWORD` | **Yes** | Token/password paired with `GIT_USERNAME`. | `${{ secrets.GIT_PASSWORD }}` |
| `REGISTRY_HOST` | No (default `git.van-hemmen.com`) | Target registry hostname. | `ghcr.io` |
| `REGISTRY_USER` | No* | Registry username. Enables push only if **both** `REGISTRY_USER` and `REGISTRY_PASS` are set. | `${{ secrets.REGISTRY_USER }}` |
| `REGISTRY_PASS` | No* | Registry password/token. | `${{ secrets.REGISTRY_PASS }}` |
| `KANIKO_DESTINATION` | No | Comma-separated list of image references to push (variables like `${{ github.sha }}` are expanded). | `ghcr.io/myorg/app:${{ github.sha }},ghcr.io/myorg/app:latest` |
| `KANIKO_DOCKERFILE` | No (default `./Dockerfile`) | Path to the Dockerfile relative to the context. | `./docker/Dockerfile.alpine` |
| `KANIKO_VERBOSITY` | No (default `info`) | Log level (`trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`). | `debug` |
\* `REGISTRY_USER` / `REGISTRY_PASS` are only needed when the registry requires authentication.
Reference in a new issue View git blame Copy permalink