This repository builds a custom Kaniko Docker image. It currently utilizes a fork from Chainguard: chainguard-dev/kaniko.
A grace period follows the release of a new Kaniko tag. After this period,
Renovate creates a Pull Request to update the
tag referenced in
build-and-push-nightly.yaml.
Patches are automatically merged, while all other updates require manual merging.
The nightly-debug tag is then used by VSHN's internal tools.
Following a similar grace period, the debug-nightly tag is re-tagged as
debug (see push-stable.yaml). The
debug tag is subsequently used for VSHN's AppFlow
customers and other products.
The auto merge to push the stable tag after a grace period is disabled for now.
Should a problem be detected with the debug-nightly tag, or even with the
upstream fork, automatic updates can be paused via the
Renovate settings for this repository.
For expedited security fixes, it's possible to manually update the tag and SHA
to be published by the push-stable.yaml
workflow. The relevant SHA can be found here:
ghcr.io/vshn/kaniko:nightly-debug.
GitHub Actions are pinned to their specific SHAs to ensure that updates are explicit.