fix: refactor Kaniko workflow and values-kaniko.yaml for improved clarity and efficiency

joshyorko · joshyorko · commit 2e4b5c944085 · 2025-06-25T09:06:35.000-04:00
diff --git a/.github/workflows/build-kaniko-docker.yaml b/.github/workflows/build-kaniko-docker.yaml
@@ -1,56 +1,39 @@
-name: Build and Push Fetch Repos Bot Runner Docker Image with Kaniko
-
-on:
-  push:
-    paths:
-      - 'robot.yaml'
-      - 'conda.yaml'
-      - 'repos/fetch-repos/Dockerfile'
-  pull_request:
-    paths:
-      - 'robot.yaml'
-      - 'conda.yaml'
-      - 'repos/fetch-repos/Dockerfile'
-  workflow_dispatch:
+name: Build & Push with Kaniko
+on: [workflow_dispatch]
 
 env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository_owner }}/fetch-repos-bot-runner
-
-concurrency:
-  group: kaniko-${{ github.ref }}
-  cancel-in-progress: true
+  IMAGE: ghcr.io/joshyorko/fetch-repos-bot-runner
 
 jobs:
-  build-and-push:
+  build:
     runs-on: fetch-repos-bot-runner-k8s-kaniko
-    container: { image: ghcr.io/actions/actions-runner:latest }  # slim base
+    # Run the whole job *inside* Kaniko’s image — no docker:// indirection
+    container:
+      image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    permissions:
+      contents: read           # checkout
+      packages: write          # push to GHCR
+
     steps:
       - uses: actions/checkout@v4
-      - name: Kaniko build
-        uses: docker://gcr.io/kaniko-project/executor:v1.23.2
-        env: { DOCKER_CONFIG: /kaniko/.docker }    # picked up from secret
-        with:
-          args: >
-            --dockerfile=repos/fetch-repos/Dockerfile
-            --context=.
-            --destination=ghcr.io/joshyorko/fetch-repos-bot-runner:${{ github.sha }}
-            --cache=true
-            --cache-repo=ghcr.io/joshyorko/fetch-repos-bot-runner-cache:latest
 
-      - name: Build and push latest tag (if main branch)
-        if: github.ref == 'refs/heads/main'
-        uses: docker://gcr.io/kaniko-project/executor:v1.23.2
-        env:
-          DOCKER_CONFIG: /kaniko/.docker/
-        with:
-          args: >
-            --dockerfile=repos/fetch-repos/Dockerfile
-            --context=.
-            --destination=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-            --cache=true
-            --cache-repo=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-cache:latest
-            --cache-dir=/workspace/.kaniko/cache
-            --snapshotMode=redo
-            --push-retry=3
+      - name: Write GHCR auth file
+        run: |
+          mkdir -p /kaniko/.docker
+          echo "{\"auths\":{\"ghcr.io\":{\"auth\":\"$(echo -n '${{ github.actor }}:${{ secrets.CR_PAT }}' | base64 -w0)\"}}}" \
+          > /kaniko/.docker/config.json
+
+      - name: Build & push
+        run: |
+          /kaniko/executor --dockerfile Dockerfile \
+                           --context . \
+                           --destination ${IMAGE}:${GITHUB_SHA::7} \
+                           --cache=true --cache-repo=${IMAGE}-cache:latest
 
+      - name: Tag latest on default branch
+        if: github.ref == 'refs/heads/main'
+        run: |
+          /kaniko/executor --dockerfile Dockerfile \
+                           --context . \
+                           --destination ${IMAGE}:latest \
+                           --cache=true --cache-repo=${IMAGE}-cache:latest
diff --git a/repos/fetch-repos/values-kaniko.yaml b/repos/fetch-repos/values-kaniko.yaml
@@ -1,103 +1,24 @@
-# --------------------------------------------------------------------
-# GitHub configuration
-# --------------------------------------------------------------------
-githubConfigUrl: "https://github.com/joshyorko/fetch-repos-bot"
-githubConfigSecret: pre-defined-secret
+runnerScaleSetName: fetch-repos-bot-runner-k8s-kaniko
 
-# --------------------------------------------------------------------
-# Runner scale set configuration for Kaniko builds
-# --------------------------------------------------------------------
-runnerScaleSetName: "fetch-repos-bot-runner-k8s-kaniko"
+githubConfigUrl: https://github.com/joshyorko/fetch-repos-bot
+githubConfigSecret: pre-defined-secret     # PAT or GitHub App for runner registration
 
-# --------------------------------------------------------------------
-# Kubernetes container mode configuration
-# --------------------------------------------------------------------
 containerMode:
-  type: "kubernetes"
+  type: kubernetes
   kubernetesModeWorkVolumeClaim:
+    storageClassName: local-path
     accessModes: ["ReadWriteOnce"]
-    storageClassName: "local-path"  # Adjust for your cluster (e.g., gp2, local-path, etc.)
     resources:
-      requests:
-        storage: 5Gi  # Kaniko needs scratch space for layer cache and build context
+      requests: { storage: 5Gi }
 
-# --------------------------------------------------------------------
-# Runner Pod template configuration for Kaniko
-# --------------------------------------------------------------------
 template:
   spec:
-    # Removed dnsPolicy and dnsConfig to use cluster defaults
-    
-    # Image pull secrets for accessing private container registries
-    imagePullSecrets:
-      - name: ghcr-login  # Secret for GHCR authentication
-    
+    # let Kaniko write its own auth file, no extra volumes needed
+    imagePullSecrets: [{ name: ghcr-login }]
     containers:
       - name: runner
-        image: ghcr.io/actions/actions-runner:latest  # Use stock GitHub Actions runner image
-        imagePullPolicy: Always
+        image: ghcr.io/actions/actions-runner:latest
         command: ["/home/runner/run.sh"]
-        resources:
-          requests:
-            cpu: "500m"
-            memory: "1Gi"
-          limits:
-            cpu: "500m"
-            memory: "1Gi"
-        
-        # Environment variables for Kaniko authentication
         env:
-          - name: DOCKER_CONFIG
-            value: "/kaniko/.docker/"
-        
-        # Volume mounts for Kaniko authentication
-        volumeMounts:
-          - name: docker-config
-            mountPath: /kaniko/.docker
-            readOnly: true
-    
-    # Volumes for Kaniko authentication
-    volumes:
-      - name: docker-config
-        secret:
-          secretName: ghcr-login 
-          items:
-            - key: .dockerconfigjson
-              path: config.json
-
-# Add jobTemplate block to mount the secret into every job-pod
-# values-kaniko.yaml  (replace the whole jobTemplate with this)
-jobTemplate:
-  spec:
-    # add the secret volume
-    volumes:
-      - name: docker-config
-        secret:
-          secretName: ghcr-login
-          items:
-            - key: .dockerconfigjson
-              path: config.json
-    # patch *all* containers (no name field → merge into every container)
-    containers:
-      - volumeMounts:
-          - name: docker-config
-            mountPath: /kaniko/.docker
-            readOnly: true
-        env:                                 # (optional but nice)
-          - name: DOCKER_CONFIG
-            value: /kaniko/.docker
-
-# --------------------------------------------------------------------
-# Scaling configuration
-# --------------------------------------------------------------------
-maxRunners: 3  # Reduced since Kaniko builds are more resource-efficient
-minRunners: 0
-
-# --------------------------------------------------------------------
-# RBAC for Kubernetes container mode
-# This is automatically handled by the ARC Helm chart when containerMode.type is set to "kubernetes"
-# The chart will create the necessary ServiceAccount, Role, and RoleBinding for:
-# - Creating/managing pods in the namespace
-# - Creating/managing secrets for job isolation
-# - Creating/managing PVCs for work volumes
-# --------------------------------------------------------------------
+          - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+            value: "false"   # lets you mix shell + container steps
