fix: Kaniko skip-push-permission-check (#193) #218

Merged

forgejo_admin merged 1 commit from 193-kaniko-skip-push-check into main

2026-03-27 05:20:55 +00:00

forgejo_admin commented

2026-03-27 05:03:15 +00:00

Owner

Summary

Kaniko's push permission check uses a separate HTTPS transport that ignores --insecure-registry, causing a timeout when probing port 443 on the internal Harbor registry. Adding --skip-push-permission-check via extra_opts bypasses this probe entirely.

Changes

.woodpecker.yaml: Added extra_opts: "--skip-push-permission-check" to the build-and-push step settings, after insecure-registry

Test Plan

PR pipeline runs test + migration-test steps (build-and-push only fires on main merge)
Once merged, the main-branch pipeline will exercise the Kaniko build-and-push step with the new flag
The fix was validated in a real Kaniko pod before this PR

Review Checklist

Single-line addition, no behavioral change to test/migration steps
Flag validated in a real Kaniko pod before shipping
No secrets or env var changes required

Closes forgejo_admin/pal-e-platform#193

## Summary Kaniko's push permission check uses a separate HTTPS transport that ignores `--insecure-registry`, causing a timeout when probing port 443 on the internal Harbor registry. Adding `--skip-push-permission-check` via `extra_opts` bypasses this probe entirely. ## Changes - `.woodpecker.yaml`: Added `extra_opts: "--skip-push-permission-check"` to the `build-and-push` step settings, after `insecure-registry` ## Test Plan - PR pipeline runs test + migration-test steps (build-and-push only fires on main merge) - Once merged, the main-branch pipeline will exercise the Kaniko build-and-push step with the new flag - The fix was validated in a real Kaniko pod before this PR ## Review Checklist - [x] Single-line addition, no behavioral change to test/migration steps - [x] Flag validated in a real Kaniko pod before shipping - [x] No secrets or env var changes required ## Related Notes Closes forgejo_admin/pal-e-platform#193

forgejo_admin added 1 commit

2026-03-27 05:03:15 +00:00

fix: add skip-push-permission-check to Kaniko build step

ci/woodpecker/pr/woodpecker Pipeline failed

Details

72f2331551

The insecure-registry setting does not apply to Kaniko's push permission
check, which uses a separate transport that still probes HTTPS on 443.
Adding --skip-push-permission-check bypasses this entirely. Validated
in a real Kaniko pod before shipping.

Refs: forgejo_admin/pal-e-platform#193

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-03-27 05:03:43 +00:00

Author

Owner

QA Review

Diff: 1 file changed, 1 line added, 0 deleted.

Findings

Correctness: extra_opts is the correct plugin-kaniko setting for passing additional Kaniko flags. --skip-push-permission-check is a valid Kaniko flag that bypasses the HTTPS push permission probe.
Placement: Correctly placed in the settings: block alongside insecure and insecure-registry.
Scope: Only affects the build-and-push step (main branch pushes). No impact on test or migration-test steps.
PR body: Root cause explained clearly, test plan is sound.

VERDICT: APPROVE

Clean single-line CI fix. No issues found.

## QA Review **Diff**: 1 file changed, 1 line added, 0 deleted. ### Findings 1. **Correctness**: `extra_opts` is the correct plugin-kaniko setting for passing additional Kaniko flags. `--skip-push-permission-check` is a valid Kaniko flag that bypasses the HTTPS push permission probe. 2. **Placement**: Correctly placed in the `settings:` block alongside `insecure` and `insecure-registry`. 3. **Scope**: Only affects the `build-and-push` step (main branch pushes). No impact on test or migration-test steps. 4. **PR body**: Root cause explained clearly, test plan is sound. ### VERDICT: APPROVE Clean single-line CI fix. No issues found.