refactor: switch to Kaniko (no daemon, no privileged mode needed)
This commit is contained in:
@@ -38,11 +38,9 @@ jobs:
|
|||||||
id: changes
|
id: changes
|
||||||
run: |
|
run: |
|
||||||
if [ -n "${{ inputs.image }}" ]; then
|
if [ -n "${{ inputs.image }}" ]; then
|
||||||
# Manual trigger - build specific image
|
|
||||||
echo "matrix=[\"${{ inputs.image }}\"]" >> $GITHUB_OUTPUT
|
echo "matrix=[\"${{ inputs.image }}\"]" >> $GITHUB_OUTPUT
|
||||||
echo "has_changes=true" >> $GITHUB_OUTPUT
|
echo "has_changes=true" >> $GITHUB_OUTPUT
|
||||||
else
|
else
|
||||||
# Auto-detect changed images
|
|
||||||
CHANGED=$(git diff --name-only HEAD~1 HEAD -- images/ 2>/dev/null | cut -d'/' -f2 | sort -u | grep -v '^$' || true)
|
CHANGED=$(git diff --name-only HEAD~1 HEAD -- images/ 2>/dev/null | cut -d'/' -f2 | sort -u | grep -v '^$' || true)
|
||||||
if [ -z "$CHANGED" ]; then
|
if [ -z "$CHANGED" ]; then
|
||||||
echo "has_changes=false" >> $GITHUB_OUTPUT
|
echo "has_changes=false" >> $GITHUB_OUTPUT
|
||||||
@@ -60,44 +58,36 @@ jobs:
|
|||||||
echo "Has changes: ${{ steps.changes.outputs.has_changes }}"
|
echo "Has changes: ${{ steps.changes.outputs.has_changes }}"
|
||||||
|
|
||||||
# ============================================================================
|
# ============================================================================
|
||||||
# Job 2 : Build avec Buildkit rootless (100% containerisé)
|
# Job 2 : Build avec Kaniko (100% containerisé, sans daemon Docker)
|
||||||
# ============================================================================
|
# ============================================================================
|
||||||
build:
|
build:
|
||||||
needs: detect-changes
|
needs: detect-changes
|
||||||
if: needs.detect-changes.outputs.has_changes == 'true'
|
if: needs.detect-changes.outputs.has_changes == 'true'
|
||||||
runs-on: docker
|
runs-on: docker
|
||||||
container:
|
container:
|
||||||
image: moby/buildkit:rootless
|
image: gcr.io/kaniko-project/executor:debug
|
||||||
options: --privileged
|
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
image: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
|
image: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
run: |
|
run: |
|
||||||
# Use $HOME to avoid /workspace conflicts
|
# Kaniko debug image has busybox + sh
|
||||||
WORK_DIR="$HOME/build"
|
WORK_DIR="/workspace/source"
|
||||||
rm -rf "$WORK_DIR"
|
rm -rf "$WORK_DIR"
|
||||||
mkdir -p "$WORK_DIR"
|
mkdir -p "$WORK_DIR"
|
||||||
|
|
||||||
# Git is included in moby/buildkit image
|
# Clone with git (included in debug image)
|
||||||
git clone --depth 1 https://gitea.arnodo.fr/${{ gitea.repository }}.git "$WORK_DIR"
|
git clone --depth 1 https://gitea.arnodo.fr/${{ gitea.repository }}.git "$WORK_DIR"
|
||||||
|
|
||||||
echo "WORK_DIR=$WORK_DIR" >> $GITHUB_ENV
|
- name: Setup registry auth
|
||||||
|
|
||||||
- name: Build and push with Buildkit
|
|
||||||
env:
|
env:
|
||||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
REGISTRY_USER: ${{ gitea.actor }}
|
REGISTRY_USER: ${{ gitea.actor }}
|
||||||
run: |
|
run: |
|
||||||
cd "$WORK_DIR"
|
mkdir -p /kaniko/.docker
|
||||||
IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
|
|
||||||
SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
|
|
||||||
|
|
||||||
# Create auth config for registry
|
|
||||||
mkdir -p ~/.docker
|
|
||||||
AUTH=$(echo -n "${REGISTRY_USER}:${REGISTRY_TOKEN}" | base64 | tr -d '\n')
|
AUTH=$(echo -n "${REGISTRY_USER}:${REGISTRY_TOKEN}" | base64 | tr -d '\n')
|
||||||
cat > ~/.docker/config.json <<EOF
|
cat > /kaniko/.docker/config.json <<EOF
|
||||||
{
|
{
|
||||||
"auths": {
|
"auths": {
|
||||||
"${{ env.REGISTRY }}": {
|
"${{ env.REGISTRY }}": {
|
||||||
@@ -107,18 +97,20 @@ jobs:
|
|||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
echo "Building ${IMAGE_NAME}..."
|
- name: Build and push with Kaniko
|
||||||
echo "Context: ./images/${{ matrix.image }}"
|
run: |
|
||||||
ls -la ./images/${{ matrix.image }}/
|
IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
|
||||||
|
SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
|
||||||
|
|
||||||
# Build and push with buildctl
|
echo "Building ${IMAGE_NAME}..."
|
||||||
buildctl-daemonless.sh build \
|
|
||||||
--frontend dockerfile.v0 \
|
/kaniko/executor \
|
||||||
--local context=./images/${{ matrix.image }} \
|
--dockerfile=/workspace/source/images/${{ matrix.image }}/Dockerfile \
|
||||||
--local dockerfile=./images/${{ matrix.image }} \
|
--context=/workspace/source/images/${{ matrix.image }} \
|
||||||
--output type=image,name=${IMAGE_NAME}:latest,push=true \
|
--destination=${IMAGE_NAME}:latest \
|
||||||
--output type=image,name=${IMAGE_NAME}:${SHORT_SHA},push=true \
|
--destination=${IMAGE_NAME}:${SHORT_SHA} \
|
||||||
--opt build-arg:BUILDKIT_INLINE_CACHE=1
|
--cache=true \
|
||||||
|
--cache-repo=${IMAGE_NAME}-cache
|
||||||
|
|
||||||
echo "✅ Pushed ${IMAGE_NAME}:latest"
|
echo "✅ Pushed ${IMAGE_NAME}:latest"
|
||||||
echo "✅ Pushed ${IMAGE_NAME}:${SHORT_SHA}"
|
echo "✅ Pushed ${IMAGE_NAME}:${SHORT_SHA}"
|
||||||
|
|||||||
Reference in New Issue
Block a user