chore: add daily executor build action

chore(ci): update actions/checkout to v6
docs: add warning about kaniko lacking maintainers
2025-12-16 13:59:02 +00:00 · 2025-12-15 11:10:15 +01:00 · 2025-12-15 10:50:31 +01:00 · 2024-11-07 19:00:36 +01:00 · 2024-11-07 18:55:15 +01:00 · 2024-04-22 22:50:48 +02:00
7 changed files with 106 additions and 7 deletions
--- a/.github/workflows/executor.yml
+++ b/.github/workflows/executor.yml
@ -0,0 +1,94 @@
+name: Executor
+
+on:
+  schedule:
+    - cron: "0 6 * * *" # Daily at 6 AM UTC
+  workflow_dispatch: # Allow manual triggering
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: aevea/action-kaniko/executor
+  SOURCE_REPO: chainguard-forks/kaniko
+
+jobs:
+  check-and-build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Get latest tag from source repo
+        id: source-tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          LATEST_TAG=$(gh release view --repo ${{ env.SOURCE_REPO }} --json tagName -q '.tagName' 2>/dev/null || true)
+          if [ -z "$LATEST_TAG" ]; then
+            # Fallback to tags if no releases
+            LATEST_TAG=$(gh api repos/${{ env.SOURCE_REPO }}/tags --jq '.[0].name')
+          fi
+          echo "tag=$LATEST_TAG" >> $GITHUB_OUTPUT
+          echo "Latest source tag: $LATEST_TAG"
+
+      - name: Check if tag already exists in registry
+        id: check-tag
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Check if the image with this tag already exists using GitHub Packages API
+          EXISTING_TAGS=$(gh api /users/aevea/packages/container/action-kaniko%2Fexecutor/versions --jq '.[].metadata.container.tags[]' 2>/dev/null || true)
+
+          if echo "$EXISTING_TAGS" | grep -qx "${{ steps.source-tag.outputs.tag }}"; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+            echo "Tag ${{ steps.source-tag.outputs.tag }} already exists, skipping build"
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+            echo "Tag ${{ steps.source-tag.outputs.tag }} does not exist, will build"
+          fi
+
+      - name: Checkout source repository
+        if: steps.check-tag.outputs.exists == 'false'
+        uses: actions/checkout@v6
+        with:
+          repository: ${{ env.SOURCE_REPO }}
+          ref: ${{ steps.source-tag.outputs.tag }}
+
+      - name: Set up Docker Buildx
+        if: steps.check-tag.outputs.exists == 'false'
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: steps.check-tag.outputs.exists == 'false'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push executor image
+        if: steps.check-tag.outputs.exists == 'false'
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: deploy/Dockerfile
+          target: kaniko-executor
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.source-tag.outputs.tag }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          build-args: |
+            TARGETARCH=amd64
+            TARGETOS=linux
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Summary
+        run: |
+          if [ "${{ steps.check-tag.outputs.exists }}" = "true" ]; then
+            echo "## Build Skipped" >> $GITHUB_STEP_SUMMARY
+            echo "Tag \`${{ steps.source-tag.outputs.tag }}\` already exists in the registry." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "## Build Complete" >> $GITHUB_STEP_SUMMARY
+            echo "Successfully built and pushed \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.source-tag.outputs.tag }}\`" >> $GITHUB_STEP_SUMMARY
+          fi
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -6,8 +6,8 @@ jobs:
    runs-on: ubuntu-latest
    name: Verify commit messages
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Run commitsar
-        uses: docker://aevea/commitsar@sha256:8d2db4e430dd06e3fcde173add43dada80b37150ba1191a69cda1c0bcdba9cb1
+        uses: docker://aevea/commitsar@sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -6,7 +6,7 @@ jobs:
    runs-on: ubuntu-latest
    name: Build docker image
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v6

      - name: GitHub Package Registry
        uses: aevea/action-kaniko@master
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -10,12 +10,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Release Notary Action
-        uses: docker://aevea/release-notary@sha256:b77e86ce9ce4b0c8774cdb3b807b756d1d6139d73aca74388560250de259be4e
+        uses: docker://aevea/release-notary@sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/2
+++ b/2
@ -2,7 +2,7 @@ FROM alpine as certs

 RUN apk --update add ca-certificates

-FROM gcr.io/kaniko-project/executor:v1.21.1-debug
+FROM gcr.io/kaniko-project/executor:v1.23.2-debug

 SHELL ["/busybox/sh", "-c"]

--- a/README.md
+++ b/README.md
@ -1,5 +1,8 @@
 # Kaniko image builder

+> [!WARNING]  
+> The kaniko project no longer seems to [have maintainers](https://github.com/GoogleContainerTools/kaniko/issues/3348). Keep this in mind before deciding to use kaniko as your image builder.
+
 This Action uses the [kaniko](https://github.com/GoogleContainerTools/kaniko) executor instead of the docker daemon. Kaniko builds the image
 by extracting the filesystem of the base image, making the changes in the user space, snapshotting any change and appending it to the base
 image filesystem.
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -102,7 +102,9 @@ eval "${kaniko_cmd}"

 echo "image=$IMAGE" >> "$GITHUB_OUTPUT"
 echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT"
-echo "image-tag-digest=$(cat /kaniko/image-tag-digest)" >> "$GITHUB_OUTPUT"
+echo "image-tag-digest<<EOF" >>"$GITHUB_OUTPUT"
+echo "$(cat /kaniko/image-tag-digest)" >>"$GITHUB_OUTPUT"
+echo 'EOF' >>"$GITHUB_OUTPUT"


 if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
Author	SHA1	Message	Date
Alex Viscreanu	a198175914	chore: add daily executor build action	2025-12-15 11:10:15 +01:00
Alex Viscreanu	9a317cb443	chore(ci): update actions/checkout to v6	2025-12-15 10:50:31 +01:00
Alex Viscreanu	be5ce625a5	docs: add warning about kaniko lacking maintainers	2024-11-07 19:00:36 +01:00
renovate[bot]	58af85fb13	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.23.2	2024-11-07 18:55:15 +01:00
renovate[bot]	9223ef89b8	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.22.0	2024-04-22 22:50:48 +02:00
renovate[bot]	12a3a8cc81	chore(deps): update aevea/commitsar docker digest to e4aed72	2024-04-22 22:47:31 +02:00
renovate[bot]	977090a03e	chore(deps): update aevea/release-notary docker digest to 690915b	2024-04-22 22:47:22 +02:00
Jason Kratz	fd47216104	fix: correctly handle multi-line tag digests output kaniko outputs each tag on a new line, so users that push multiple tags at once would get an error as the output wasn't prepared to handle multi-line text	2024-04-22 22:38:37 +02:00