aevea / action-kaniko Goto Github PK
View Code? Open in Web Editor NEWBuild and push docker images using Kaniko and GitHub actions
Build and push docker images using Kaniko and GitHub actions
I use the following to auth to GCR:
- name: Login to GCR
uses: docker/login-action@v2
with:
registry: gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
This works fine in combination with
- name: Build container
uses: docker/build-push-action@v3
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
However, it doesn't work with kaniko, as that requires a username/password.
I'm using federated authentication, so I don't generate any passwords at all in this setup.
I have a monorepo with multiple docker images and I would like to publish an image only if the digest of the image is not present in the registry, regardless of the tag. I'm using fluxcd and right now because a tag is pushed on every push to master, all the pods are being restarted.
Kaniko supports the reproducible flag, this action now supports it through the extra_args
, I suggest to make it a first-class variable.
Anyway, I suggest the option skipUnchangedDigest to the build-push-action and when set to true the action will skip the push if the digest already present.
Bazel build supports this with skipUnchangedDigest flag to the container_push rule, code is here:
https://github.com/bazelbuild/rules_docker/blob/06c5419265e84baf168ba4d3982f45fe1fe312b4/container/go/cmd/pusher/pusher.go#L132
https://github.com/bazelbuild/rules_docker/blob/06c5419265e84baf168ba4d3982f45fe1fe312b4/container/go/cmd/pusher/pusher.go#L163
I will be happy to try and contribute those, however, I'm not sure how to implement the skipUnchangedDigest. Pointers are welcome.
My repo contains multiple image files. I specify the Dockerfile
with:
build_file: conda/Dockerfile
but the context is still set to the root of the repo.
Could you add an option to set the context dir?
I use this action in my workflow.
After successfully building the image I want to update the image tag in the kubernetes specs.
It would be much easier and cleaner if I could use outputs
from build step to reference the new image
docker container fails to build complaining of bad address
#9 [stage-1 2/4] RUN wget -O /kaniko/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && chmod +x /kaniko/jq && wget -O /kaniko/reg https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && chmod +x /kaniko/reg && wget -O /crane.tar.gz https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && tar -xvzf /crane.tar.gz crane -C /kaniko && rm /crane.tar.gz
#9 0.157 wget: bad address 'github.com'
#9 ERROR: process "/busybox/sh -c wget -O /kaniko/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && chmod +x /kaniko/jq && wget -O /kaniko/reg https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && chmod +x /kaniko/reg && wget -O /crane.tar.gz https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && tar -xvzf /crane.tar.gz crane -C /kaniko && rm /crane.tar.gz" did not complete successfully: exit code: 1
------
> [stage-1 2/4] RUN wget -O /kaniko/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && chmod +x /kaniko/jq && wget -O /kaniko/reg https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && chmod +x /kaniko/reg && wget -O /crane.tar.gz https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && tar -xvzf /crane.tar.gz crane -C /kaniko && rm /crane.tar.gz:
0.157 wget: bad address 'github.com'
------
When I set the "tag" flag to "${GITHUB_RUN_NUMBER}", the tag that is getting applied is either "main" or "master".
I would like to switch to this action (currently using https://github.com/docker/build-push-action) for the skip push feature but I am missing two features:
latest
: https://github.com/docker/build-push-action#tag_with_refI think making them compatible will increase the usage of this action.
@aexvir if you would like I can make a pull request to make them (more) compatible. However, it will probably break the current options.
Hi,
I've just started using action-kaniko
and have enabled skip_unchanged_digest
. This works as expected and doesn't push a new image if the digests match.
I then have some extra steps that run after action-kaniko
which relate to deploying the new image - but I don't want these to run if no new image was created.
Is there a way to tell if action-kaniko
has pushed an image or not once it has completed? I could query the registry and look for new images but I wasn't sure if there was a simpler option.
Thanks!
Hello , i have this GH action workflow set.
`
- name: (SHARED) Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Get short SHA
id: slug
run: |
echo "COMMIT=$(echo ${{ github.event.pull_request.base.sha }} | cut -c1-7)" >> $GITHUB_ENV
echo "EKS_SERVICE=nginx" >> $GITHUB_ENV
echo "ECR_PASSWORD=${{ steps.login-ecr.outputs.docker_password_425300134585_dkr_ecr_us_west_1_amazonaws_com }}" >> $GITHUB_ENV
echo "${{ steps.login-ecr.outputs.docker_username_425300134585_dkr_ecr_us_west_1_amazonaws_com }}"
- name: Kaniko build
uses: aevea/action-kaniko@master
with:
image: 425300134585.dkr.ecr.us-west-1.amazonaws.com/${{env.EKS_SERVICE}}
registry: 425300134585.dkr.ecr.us-west-1.amazonaws.com
tag: latest
build_file: Dockerfile
path: Nginx
password: ${{env.ECR_PASSWORD}} #${{ steps.login-ecr.outputs.docker_password_425300134585_dkr_ecr_us_west_1_amazonaws_com }}
username: "AWS" #${{ steps.login-ecr.outputs.docker_username_425300134585_dkr_ecr_us_west_1_amazonaws_com }}
#cache: false
`
I want to build my Dockerfile thats on Nginx/Dockerfile path , and push it to 425300134585.dkr.ecr.us-west-1.amazonaws.com/nginx:latest
and i have this error
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "***.dkr.ecr.***.amazonaws.com/***.dkr.ecr.***.amazonaws.com/nginx:latest": Post "https://***.dkr.ecr.***.amazonaws.com/v2/***.dkr.ecr.***.amazonaws.com/nginx/blobs/uploads/": EOF
Thoughts ? i know that i have the correct push permissions because im using the same ecr login process with docker fine .
When pulling alpine image to use for certs, Docker pull rate is being exceeded if your company runs self-hosted runners and has more than 100 builds per 6 hours. Passing the Docker credentials to the action resolves this, but it doesn't let you push your image to another location.
Potential fix:
There is no longer a need to grab the certs.
Expected results: Download is only from ghcr.io for the executor and no need for the alpine download
Currently, we are able to push image to only one registry, it would be great to have possibility to utilise --destination flag and be able to push the image to multiple registries during triggering the build once.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
Dockerfile
gcr.io/kaniko-project/executor v1.22.0-debug
.github/workflows/pr.yml
actions/checkout v4
aevea/commitsar sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0
.github/workflows/push.yml
.github/workflows/release.yml
actions/checkout v4
aevea/release-notary sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4
+ export 'REGISTRY=***'
+ export 'IMAGE=***/obmondo/dockerfiles/jammy-generic-build'
+ echo refs/pull/5/head
+ sed -E 's/refs\/(heads|tags)\///g'
+ sed -e 's/\//-/g'
+ export 'TAG=1.0.0'
+ export 'TAG=1.0.0'
+ export 'TAG=1.0.0'
+ export 'USERNAME=asdad'
+ export 'PASSWORD=***'
The registry env never gets a real value, not sure why, even when I have give a static string in my workflow.
to test this, did a fork and change directly on the entrypoint script and now it works
I'm not sure where is the problem here.
some help would be nice
Hi,
We are no longer able to push images created by this action to "JForg Artifactory". We see following error while pushing the images:
error pushing image: failed to push to destination my-dockerv2-virtual.jfrog.io/my-dockerv2-virtual.jfrog.io/my-app:0.0.34: PUT https://my-dockerv2-virtual.jfrog.io/v2/my-dockerv2-virtual.jfrog.io/my-app/manifests/0.0.34: MANIFEST_INVALID: manifest invalid; map[description:Circuit Breaker Threshold Reached, Breaking Operation. see log output for manifest details.]
We tried using the year old tag for this action, changed github-runner OS to ubuntu 18.x, disabling the cache but none of those are helping. All actions were working fine about 3 weeks ago. The only change I am seeing around the time we started seeing this issue is the new release of the "Kaniko executor" (https://github.com/GoogleContainerTools/kaniko/blob/main/CHANGELOG.md).
Any help you could provide on this would be great!
Thank you!
It would be nice to provide examples of extra_args
usage approaches
I have a repo myorg/myrepo
and want to push an image ghcr.io/myorg/myrepo:1.0.0
.
However, specifying registry: ghcr.io
and image: ""
yields an error, since the resulting image is tagged with ghcr.io/myorg/myrepo/:1.0.0
.
Setting a value for image
will only append that to the repo name, e.g. image: "myrepo"
yields the tag ghcr.io/myorg/myrepo/myrepo:1.0.0
.
Is there a way to not set an image name, and keep it as repo root, specifically for ghcr?
This action has stopped working because in the Dockerfile, an outdated executor is being used (at least this is my working hypothesis)
I tested v1.16.0
and found this to be working, but I don't know enough about the project to say whether this is a safe upgrade.
Repro:
docker run --rm -it --entrypoint sh gcr.io/kaniko-project/executor:v1.9.1-debug
/workspace # wget -O /kaniko/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
Connecting to github.com (140.82.121.4:443)
wget: note: TLS certificate validation not implemented
wget: TLS error from peer (alert code 80): 80
wget: error getting response: Connection reset by peer
Hi folks,
we're using action-kaniko on some workflows, but recently one stopped working with the following message:
$/usr/bin/docker run --name a62b0ab75364e68e47cc90d5aa9e43fcc042_cf3c0a --label 39a62b (...)
Unable to find image '39a62b:0ab75364e68e47cc90d5aa9e43fcc042' locally
docker: Error response from daemon: pull access denied for 39a62b, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.
before that, in github actions, we're running the following step:
/usr/bin/docker build -t [3](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:3)9a62b:0ab7536[4](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:4)e68e47cc90d[5](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:5)aa9e43fcc042 -f "/home/debian/actions-runner/_work/_actions/aevea/action-kaniko/master/Dockerfile" "/home/debian/actions-runner/_work/_actions/aevea/action-kaniko/master"
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 931B 0.0s done
#1 DONE 0.1s
#2 [internal] load .dockerignore
#2 transferring context: [6](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:6)3B 0.0s done
#2 DONE 0.0s
#3 [internal] load metadata for docker.io/library/alpine:latest
#3 DONE 0.4s
#4 [internal] load metadata for gcr.io/kaniko-project/executor:v1.9.1-debug
#4 DONE 0.3s
#5 [stage-1 1/4] FROM gcr.io/kaniko-project/executor:v1.9.1-debug@sha256:ac169[7](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:7)23b2076f9d5[8](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:8)04f4bc05c[9](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:9)8397e286da6fdcdd5a09fdc179f06ccb3be1
#5 resolve gcr.io/kaniko-project/executor:v1.9.1-debug@sha256:ac169723b2076f9d5804f4bc05c98397e286da6fdcdd5a09fdc179f06ccb3be1 0.0s done
#5 DONE 0.0s
#6 [certs 1/2] FROM docker.io/library/alpine@sha256:69665d02cb32192e52e07644d76bc6f25abeb54[10](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:10)edc1c7a81a10ba3f0efb90a
#6 resolve docker.io/library/alpine@sha256:69665d02cb32192e52e07644d76bc6f25abeb5410edc1c7a81a10ba3f0efb90a 0.0s done
#6 DONE 0.0s
#7 [internal] load build context
#7 transferring context: 35B done
#7 DONE 0.0s
#8 [certs 2/2] RUN apk --update add ca-certificates
#8 CACHED
#9 [stage-1 2/4] RUN wget -O /kaniko/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && chmod +x /kaniko/jq && wget -O /kaniko/reg https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && chmod +x /kaniko/reg && wget -O /crane.tar.gz https://github.com/google/go-containerregistry/releases/download/v0.8.0/go-containerregistry_Linux_x86_64.tar.gz && tar -xvzf /crane.tar.gz crane -C /kaniko && rm /crane.tar.gz
#9 CACHED
#10 [stage-1 3/4] COPY entrypoint.sh /
#10 CACHED
#[11](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:2:11) [stage-[1](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:3:1) 4/4] COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
#[1](https://github.com/ivaoaero/scripts/actions/runs/4359030674/jobs/7641610911#step:4:1)1 CACHED
Does anyone have any clue about what's going on here?
Thanks!
When I try and use cache with ghcr.io it sends a warning and doesn't cache the build
WARN[0212] error uploading layer to cache: failed to push to destination cache-image:: HEAD https://index.docker.io/v2/library/cache-image/blobs/: unexpected status code 401 Unauthorized (HEAD responses have no body, use GET for details)
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
jobs:
build:
name: Build with Kaniko
runs-on: self-hosted
steps:
- id: image_name
name: image_name
uses: ASzc/change-string-case-action@v1
with:
string: ${{ github.repository }}
- uses: actions/checkout@master
- name: Kaniko build
uses: aevea/action-kaniko@master
with:
registry: ${{ env.REGISTRY }}
image: ${{ steps.image_name.outputs.lowercase }}
password: ${{ secrets.GITHUB_TOKEN }}
cache: true
cache_registry: cache-image
tag: develop
build_file: docker/Dockerfile
When using the action with tag_with_latest: true
and tag: toto
, the action seems to produce a multi-line output. The action is then considered as failed even thought it's not with the following message :
Error: Unable to process file command 'output' successfully.
Error: Invalid format 'myprivateregistry myimage:latest@sha256:d8d07c55b7ba2d51bc07971c1ae68c632cf13c651a7d0ad5453b395364c2d6fc'
Seems related
https://stackoverflow.com/questions/74137120/how-to-fix-or-avoid-error-unable-to-process-file-command-output-successfully
The action works fine if only one tag is produced.
at least 0.11.0 and 0.12.0.
The error is:
INFO[0078] SHELL ["/bin/bash", "--login", "-c"]
INFO[0078] No files changed in this command, skipping snapshotting.
INFO[0078] ENTRYPOINT ["/entrypoint.sh"]
INFO[0078] No files changed in this command, skipping snapshotting.
INFO[0114] Skipping push to container registry due to --no-push flag
/entrypoint.sh: line 93: syntax error: unexpected end of file (expecting "fi")
The registry is gcr.io and I use elgohr/[email protected]
to get username and password.
I tried to build a docker image and sent it to ACR registry (secrets to ACR stored in previous action step), but when comes to Kaniko builder the error occurs:
Build container for action use: '/home/runner/_work/_actions/aevea/action-kaniko/v0.6.0/Dockerfile'.
Error: File not found: 'docker'
error is the same no matter what "path" parameter I will use (I tried docker/base, ./docker and also /mnt/gh_actions/DevOps/DevOps/docker, which is place where I have my Dockerfile).
code of the step is like this:
jobs:
docker:
runs-on: [self-hosted-DevOps-master-centos]
needs: [build-cm-package]
steps:
- name: Kaniko builder
uses: aevea/[email protected]
with:
path: ${{ env.docker_repository_folder }}/base
build_file: base/Dockerfile
registry: ${{ env.REGISTRY_LOGIN_SERVER }}
image: kaniko_test
username: ${{ secrets.ACR_DEV_USERNAME }}
password: ${{ secrets.ACR_DEV_USERNAME_PASSWORD }}
cache: true
cache_registry: aevea/cache
any hint what is wrong?
Does this project overlap entirely with https://github.com/marketplace/actions/kaniko-action or are there differences readers/users should be aware of? We are just starting out using GitHub Actions (replacing GitLab CI).
Hey! We are experiencing an issue when using the action from @master
:
WARN[0000] kaniko is being run outside of a container. This can have dangerous effects on your system
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "docker.pkg.github.com/[some repo]:latest": POST https://docker.pkg.github.com/v2/[some repo]/blobs/uploads/: unexpected status code 404 Not Found: 404 page not found
Do you think it might be related to the latest releases?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.