fix: Kaniko skip-push-permission-check (#193) #8

Merged

forgejo_admin merged 1 commit from 193-kaniko-skip-push-check into main 2026-03-27 05:21:02 +00:00

Conversation 1 Commits 1 Files changed 1 +1

forgejo_admin commented 2026-03-27 05:03:56 +00:00

Owner

Copy link

Summary

Adds --skip-push-permission-check to the Kaniko build step. The insecure-registry setting does not apply to Kaniko's push permission check, which uses a separate HTTPS transport that probes port 443 and times out against the in-cluster Harbor endpoint. This flag bypasses that check entirely.

Changes

• .woodpecker.yaml: Added extra_opts: "--skip-push-permission-check" to the build-and-push step settings, after the existing insecure-registry line.

Test Plan

• Tests pass locally
• Push to main triggers the build-and-push step; verify the Kaniko pod no longer times out on the push permission check
• Image successfully pushed to harbor.harbor.svc.cluster.local/pal-e-mail/api
• No regressions in test step

Review Checklist

• Passed automated review-fix loop
• No secrets committed
• No unnecessary file changes
• Commit messages are descriptive

Related Notes

• Closes forgejo_admin/pal-e-platform#193 -- Kaniko push permission check timeout
• pal-e-platform -- the platform project this fix relates to

## Summary Adds `--skip-push-permission-check` to the Kaniko build step. The `insecure-registry` setting does not apply to Kaniko's push permission check, which uses a separate HTTPS transport that probes port 443 and times out against the in-cluster Harbor endpoint. This flag bypasses that check entirely. ## Changes - `.woodpecker.yaml`: Added `extra_opts: "--skip-push-permission-check"` to the `build-and-push` step settings, after the existing `insecure-registry` line. ## Test Plan - [ ] Tests pass locally - [ ] Push to main triggers the build-and-push step; verify the Kaniko pod no longer times out on the push permission check - [ ] Image successfully pushed to `harbor.harbor.svc.cluster.local/pal-e-mail/api` - [ ] No regressions in test step ## Review Checklist - [ ] Passed automated review-fix loop - [ ] No secrets committed - [ ] No unnecessary file changes - [ ] Commit messages are descriptive ## Related Notes - Closes forgejo_admin/pal-e-platform#193 -- Kaniko push permission check timeout - `pal-e-platform` -- the platform project this fix relates to

forgejo_admin added 1 commit 2026-03-27 05:03:56 +00:00

fix: add skip-push-permission-check to Kaniko build step ... 1c04126954

The insecure-registry setting does not apply to Kaniko's push permission
check, which uses a separate transport that still probes HTTPS on 443.
Adding --skip-push-permission-check bypasses this entirely. Validated
in a real Kaniko pod before shipping.

Refs: forgejo_admin/pal-e-platform#193

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented 2026-03-27 05:04:25 +00:00

Author

Owner

Copy link

QA Review

Diff: 1 file changed, 1 line added, 0 deleted.

Findings

• extra_opts is a valid parameter for woodpeckerci/plugin-kaniko:2.3.0 -- passes raw flags to the Kaniko executor
• --skip-push-permission-check is a valid Kaniko flag that bypasses the pre-push auth probe
• Correctly addresses root cause: insecure-registry controls pull/push transport but not the permission check probe, which uses a separate HTTPS connection that times out on port 443
• Placement in YAML is correct (after insecure-registry, within settings block)
• PR body has all required sections
• No secrets, no unnecessary changes

VERDICT: APPROVED

## QA Review **Diff:** 1 file changed, 1 line added, 0 deleted. ### Findings - `extra_opts` is a valid parameter for `woodpeckerci/plugin-kaniko:2.3.0` -- passes raw flags to the Kaniko executor - `--skip-push-permission-check` is a valid Kaniko flag that bypasses the pre-push auth probe - Correctly addresses root cause: `insecure-registry` controls pull/push transport but not the permission check probe, which uses a separate HTTPS connection that times out on port 443 - Placement in YAML is correct (after `insecure-registry`, within `settings` block) - PR body has all required sections - No secrets, no unnecessary changes **VERDICT: APPROVED**

forgejo_admin merged commit 79dcde0c66 into main 2026-03-27 05:21:02 +00:00

forgejo_admin deleted branch 193-kaniko-skip-push-check 2026-03-27 05:21:02 +00:00

forgejo_admin referenced this pull request from a commit 2026-03-27 05:21:04 +00:00

fix: Kaniko skip-push-permission-check (#193) (#8)

Commenting is not possible because the repository is archived.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-mail!8

No description provided.