I want to build and push an image to ACR using GH Actions with self-hosted runners in AKS.
After some research I found out that using Docker is not a way of doing this in the context of Kubernetes so I found Kaniko. As shown in the official docs "running Kaniko in any Docker image other than the official Kaniko image is not supported" (https://github.com/GoogleContainerTools/kaniko?tab=readme-ov-file#known-issues), so the only way left is to run the job in a container using the official Kaniko image. The problem here is that the official Kaniko image come only with the needed packages and binaries to run Kaniko, but in the context of a CI pipeline a lot more than the build and push stage is needed. After reaching this point I have two jobs: one for all the previous steps that run before building and pushing image, and the other one that should build and push the image with Kaniko.
This is the workflow:
name: CI
on:
workflow_call:
inputs:
tag:
required: true
type: string
description: 'The tag name'
jobs:
previous-CI:
runs-on: arc-runners-set
permissions:
contents: write
packages: write
id-token: write
steps:
... (previous steps that generate the files and folders needed to build the image) ...
- uses: actions/upload-artifact@v4
with:
name: ci_workspace
path: .
include-hidden-files: true
build-and-push-image:
needs: previous-CI:
runs-on: arc-runners-set
container:
image: gcr.io/kaniko-project/executor:v1.23.0-debug
permissions:
contents: read # read the repository
steps:
- uses: actions/download-artifact@v4
with:
name: ci_files
- name: Build and push image to ACR
run: |
cat <<EOF > /kaniko/.docker/config.json
{ "credHelpers": { "my-acr.acurecr.io": "acr-env" } }
EOF
/kaniko/executor --dockerfile="./folderD/Dockerfile" \
--context="${{ github.repositoryUrl }}#${{ github.ref }}#${{ github.sha }}" \
--destination="my-acr.acurecr.io/${{ github.event.repository.name }}:${{ inputs.tag }}" \
${{ env.KANIKO_CACHE_ARGS }}
env:
AZURE_CLIENT_ID: XXXXXXXXXXXXXXXXXXXXXXXX
AZURE_CLIENT_SECRET: XXXXXXXXXXXXXXXXXXXXXXXX
AZURE_TENANT_ID: XXXXXXXXXXXXXXXXXXXXXXXX
GIT_USERNAME: ${{ github.actor }}
GIT_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
KANIKO_CACHE_ARGS: "--push-retry 5 --no-push-cache --cleanup"
Now the problem is that in the build and push job I have no the same workspace that the one in the previous job, so I tried the official GH solution for that which is using the upload-artifact and download-artifact actions. The upload-artifact action works well but when the run reach the second job and try to download the artifact the following error is returned:
Run actions/download-artifact@v4
Run '/home/runner/k8s/index.js'
env: can't execute '/__e/node20/bin/node': No such file or directory
Error: Error: failed to run script step: command terminated with non-zero exit code: error executing command [sh -e /__w/_temp/963a62d0-dc83-11ef-aa32-5de5ef08af87.sh], exit code 127
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.
It seems like Node is needed to use the download-artifact action but the Kaniko image does not come with it installed. I've tried to use the setup-node action but the same error is returned:
Run actions/setup-node@v4
Run '/home/runner/k8s/index.js'
env: can't execute '/__e/node20/bin/node': No such file or directory
Error: Error: failed to run script step: command terminated with non-zero exit code: error executing command [sh -e /__w/_temp/2a593930-dc8b-11ef-8072-e38ac080b9d3.sh], exit code 127
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.
At this point, is there anything else to prove that I don't know about?
I would skip the GitHub Actions artifact steps entirely (use a different store for the build context) After you do “previous steps” in your first job, commit/push changes to a separate branch or to the same Git branch. In the second job (Kaniko job), specify:
/kaniko/executor \
--context=git://github.com/<org>/<repo>.git#refs/heads/your-branch#<sha>
--dockerfile=...
--destination=...
or, if you tar up the context and put it in storage like S3:
/kaniko/executor \
--context=https://<storageaccount>.blob.core.windows.net/<container>/context.tar.gz
--dockerfile=...
--destination=...