initial commit

include:

  - component: "$CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@8"

    inputs:

      context-path: "kaniko"

      file: "deploy/Dockerfile"

      build-args: >-

        --target kaniko-debug --cache-ttl=6h

        --platform linux/amd64 --platform linux/arm64

      hadolint-disabled: "true"

      prod-publish-strategy: "auto"

      snapshot-image: "$CI_REGISTRY_IMAGE/snapshot:$KANIKO_VERSION"

      release-image: "$CI_REGISTRY_IMAGE:$KANIKO_VERSION"

      release-extra-tags: "latest \\g<major>.\\g<minor>\\g<build> \\g<major>\\g<build>"

variables:

  # renovate: datasource=github-releases depName=chainguard-forks/kaniko

  KANIKO_VERSION: "1.25.6"

workflow:

  rules:

    - !reference [.tbc-workflow-rules, default]

    # kaniko cannot build itself. Either use buildah or pull the image from gitlab.com instead of building it locally.

    - if: $DOCKER_BUILD_TOOL == "kaniko" || ($DOCKER_BUILD_TOOL == "default" && $TBC_DEFAULT_DOCKER_BUILD_TOOL == "kaniko")

      when: never

    - when: always

get-kaniko:

  stage: build

  script:

    - git clone --depth 1 --branch "v$KANIKO_VERSION" https://github.com/chainguard-forks/kaniko.git

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day

    when: always

    paths:

      - kaniko

MIT License

Copyright (C) 2026 Clement Bois and contributors

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all

copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

SOFTWARE.

# Kaniko builder for to-be-continuous

This project provides container images for the [Chainguard fork](https://github.com/chainguard-forks/kaniko) of the

Kaniko project.

The original Kaniko project was archived in June of 2025, and the Chainguard fork was created to continue providing security updates but without providing any artifacts.

This project doesn't contain the Kaniko source code, but instead provides a CI pipeline to build, test, and publish container images for tagged releases of the Kaniko project.

The repository used for the build is saved as artifacts in the clone_repo job in each pipeline, for traceability and reproducibility.

## What is Kaniko?

Kaniko is a tool to build container images from a Dockerfile inside a Kubernetes cluster or a nested container.

It doesn't depend on a Docker daemon and executes each command within a Dockerfile completely in userspace.

This makes it a great tool for building container images in environments such as GitLab runners on Kubernetes.

Built images are only supported of use in the to-be-continuous Docker template, but they can be used in any environment that supports OCI images.

## Usage

This image is used add default `DOCKER_KANIKO_IMAGE` in the [to-be-continuous Docker template](https://gitlab.com/to-be-continuous/docker).

It can also be used directly with `docker run registry.gitlab.com/to-be-continuous/tools/kaniko-builder`

Only the "debug executor" image is published as it is the only one used in CI pipelines. It is built for `amd64` and `arm64` architectures, and tagged with the version of the Kaniko project it is built from.

See Kaniko's [documentation](https://github.com/chainguard-forks/kaniko) for more information on how to use it.

# Security Policy

## Supported Versions

Security fixes and updates are only applied to the latest released version. So always try to be up to date.

## Reporting a Vulnerability

In order to minimize risks of attack while investigating and fixing the issue, any vulnerability shall be reported by

opening a [**confidential** issue on gitlab.com](https://gitlab.com/to-be-continuous/tools/gitlab-cp/-/issues/new).

Follow-up and fixing will be made on a _best effort_ basis.

If you have doubts about a potential vulnerability, please reach out one of the maintainers on Discord.

{

    "$schema": "https://docs.renovatebot.com/renovate-schema.json",

    "extends": [

        "config:best-practices",

        ":disableDependencyDashboard"

    ],

    "packageRules": [

        {

            "matchDatasources": [

                "gitlab-tags"

            ],

            "versioning": "docker"

        },

        {

            "groupName": "to-be-continuous dependencies",

            "groupSlug": "tbc-deps",

            "matchPackagePatterns": [

                "to-be-continuous/*"

            ],

            "matchUpdateTypes": [

                "minor",

                "patch"

            ],

            "automerge": true,

            "automergeType": "pr",

            "platformAutomerge": true,

            "rebaseWhen": "auto"

        }

    ],

    "customManagers": [

        {

            "customType": "regex",

            "managerFilePatterns": [

                ".gitlab-ci.yml$"

            ],

            "matchStrings": [

                "# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s\\S+?:(?<currentValue>\\S+)\\s+\\S+:.+",

                "# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s\\S+?:\\S+\\s+\\S+:(?<currentValue>\\S+)"

            ],

            "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"

        }

    ]

}

 No newline at end of file