Build Docker image with Kaniko

This eliminates the dependency on the host Docker daemon, thus allowing us to no longer mount it to the runner's workloads and thus securing everything.
2024-06-01 14:49:57 +02:00 · 2024-06-01 14:49:57 +02:00 · c72c4c0055
parent b4d7b355c1
commit c72c4c0055
1 changed files with 10 additions and 15 deletions
--- a/.gitea/workflows/docker.yml
+++ b/.gitea/workflows/docker.yml
@ -1,4 +1,5 @@
 name: Build and publish Docker image
+
 on:
  push:
  pull_request:
@ -19,28 +20,22 @@ jobs:
    steps:
      - uses: actions/checkout@v3

-      - name: Log in to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+      - name: Build Docker image with kaniko
+        uses: aevea/action-kaniko@9223ef89b8302afed279fc956849bfd45d7686d2
        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: |
-            linux/amd64
+          image: ${{ env.IMAGE_NAME }}
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          tag: ${{ steps.meta.outputs.tags }}
+          platforms: linux/amd64
+          tag_with_latest: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}

      - name: Trigger redeployment
        if: gitea.ref == 'refs/heads/main'