Damien/docker-images
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: switch to Kaniko (no daemon, no privileged mode needed)

Browse Source
This commit is contained in:
Damien Arnodo
2025-12-07 18:10:21 +00:00
parent fedd5814f3
commit fbab2854c6
1 changed files with 20 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
.gitea/workflows/build-images.yml
View File

@@ -38,11 +38,9 @@ jobs:
id: changes
run: |
if [ -n "${{ inputs.image }}" ]; then
# Manual trigger - build specific image
echo "matrix=[\"${{ inputs.image }}\"]" >> $GITHUB_OUTPUT
echo "has_changes=true" >> $GITHUB_OUTPUT
else
# Auto-detect changed images
CHANGED=$(git diff --name-only HEAD~1 HEAD -- images/ 2>/dev/null | cut -d'/' -f2 | sort -u | grep -v '^$' || true)
if [ -z "$CHANGED" ]; then
echo "has_changes=false" >> $GITHUB_OUTPUT
@@ -60,44 +58,36 @@ jobs:
echo "Has changes: ${{ steps.changes.outputs.has_changes }}"
# ============================================================================
# Job 2 : Build avec Buildkit rootless (100% containerisé)
# Job 2 : Build avec Kaniko (100% containerisé, sans daemon Docker)
# ============================================================================
build:
needs: detect-changes
if: needs.detect-changes.outputs.has_changes == 'true'
runs-on: docker
container:
image: moby/buildkit:rootless
options: --privileged
image: gcr.io/kaniko-project/executor:debug
strategy:
matrix:
image: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
steps:
- name: Checkout repository
run: |
# Use $HOME to avoid /workspace conflicts
WORK_DIR="$HOME/build"
# Kaniko debug image has busybox + sh
WORK_DIR="/workspace/source"
rm -rf "$WORK_DIR"
mkdir -p "$WORK_DIR"
# Git is included in moby/buildkit image
# Clone with git (included in debug image)
git clone --depth 1 https://gitea.arnodo.fr/${{ gitea.repository }}.git "$WORK_DIR"
echo "WORK_DIR=$WORK_DIR" >> $GITHUB_ENV
- name: Build and push with Buildkit
- name: Setup registry auth
env:
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
REGISTRY_USER: ${{ gitea.actor }}
run: |
cd "$WORK_DIR"
IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
# Create auth config for registry
mkdir -p ~/.docker
mkdir -p /kaniko/.docker
AUTH=$(echo -n "${REGISTRY_USER}:${REGISTRY_TOKEN}" | base64 | tr -d '\n')
cat > ~/.docker/config.json <<EOF
cat > /kaniko/.docker/config.json <<EOF
{
"auths": {
"${{ env.REGISTRY }}": {
@@ -106,19 +96,21 @@ jobs:
}
}
EOF
- name: Build and push with Kaniko
run: |
IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
echo "Building ${IMAGE_NAME}..."
echo "Context: ./images/${{ matrix.image }}"
ls -la ./images/${{ matrix.image }}/
# Build and push with buildctl
buildctl-daemonless.sh build \
--frontend dockerfile.v0 \
--local context=./images/${{ matrix.image }} \
--local dockerfile=./images/${{ matrix.image }} \
--output type=image,name=${IMAGE_NAME}:latest,push=true \
--output type=image,name=${IMAGE_NAME}:${SHORT_SHA},push=true \
--opt build-arg:BUILDKIT_INLINE_CACHE=1
/kaniko/executor \
--dockerfile=/workspace/source/images/${{ matrix.image }}/Dockerfile \
--context=/workspace/source/images/${{ matrix.image }} \
--destination=${IMAGE_NAME}:latest \
--destination=${IMAGE_NAME}:${SHORT_SHA} \
--cache=true \
--cache-repo=${IMAGE_NAME}-cache
echo "✅ Pushed ${IMAGE_NAME}:latest"
echo "✅ Pushed ${IMAGE_NAME}:${SHORT_SHA}"