fix: Kaniko skip-push-permission-check (#193) #24

Merged

forgejo_admin merged 1 commit from 193-kaniko-skip-push-check into main 2026-03-27 05:21:00 +00:00

Conversation 1 Commits 1 Files changed 1 +1

forgejo_admin commented 2026-03-27 05:04:26 +00:00

Owner

Copy link

Summary

• Kaniko's push permission check uses a separate HTTPS transport that ignores insecure-registry, causing a TLS dial timeout against Harbor's internal HTTP-only endpoint on port 443.
• Adding --skip-push-permission-check via extra_opts bypasses this probe entirely.

Changes

• .woodpecker.yaml: Added extra_opts: "--skip-push-permission-check" to the build-and-push Kaniko step settings, after insecure-registry.

Test Plan

• CI pipeline triggers on PR event (test step: npm ci, npm run check, npm test, npm run build)
• Merge to main triggers full build-and-push -- Kaniko pushes to Harbor without 30s TLS timeout
• Verify in Woodpecker logs that --skip-push-permission-check flag appears in Kaniko invocation

Review Checklist

• Passed automated review-fix loop
• No secrets committed
• No unnecessary file changes
• Commit messages are descriptive

Related Notes

• Closes #23
• Related: forgejo_admin/pal-e-platform#193 -- parent issue tracking Kaniko permission check fix

## Summary - Kaniko's push permission check uses a separate HTTPS transport that ignores `insecure-registry`, causing a TLS dial timeout against Harbor's internal HTTP-only endpoint on port 443. - Adding `--skip-push-permission-check` via `extra_opts` bypasses this probe entirely. ## Changes - `.woodpecker.yaml`: Added `extra_opts: "--skip-push-permission-check"` to the build-and-push Kaniko step settings, after `insecure-registry`. ## Test Plan - [ ] CI pipeline triggers on PR event (test step: `npm ci`, `npm run check`, `npm test`, `npm run build`) - [ ] Merge to main triggers full build-and-push -- Kaniko pushes to Harbor without 30s TLS timeout - [ ] Verify in Woodpecker logs that `--skip-push-permission-check` flag appears in Kaniko invocation ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - Closes #23 - Related: `forgejo_admin/pal-e-platform#193` -- parent issue tracking Kaniko permission check fix

forgejo_admin added 1 commit 2026-03-27 05:04:26 +00:00

fix: add skip-push-permission-check to Kaniko build step ... 4dcafec742

The insecure-registry setting does not apply to Kaniko's push permission
check, which uses a separate transport that still probes HTTPS on 443.
Adding --skip-push-permission-check bypasses this entirely. Validated
in a real Kaniko pod before shipping.

Refs: forgejo_admin/pal-e-platform#193

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented 2026-03-27 05:04:53 +00:00

Author

Owner

Copy link

QA Review

Diff Analysis

Single-line addition to .woodpecker.yaml: adds extra_opts: "--skip-push-permission-check" to the Kaniko plugin settings in the build-and-push step.

Domain Review (CI/Kaniko)

• Correct flag: --skip-push-permission-check is a valid Kaniko flag that bypasses the pre-push credential/permission probe. This is the right fix for insecure (HTTP-only) registries where the HTTPS permission check fails.
• Correct plugin setting: extra_opts is the documented way to pass additional flags to Kaniko via the woodpeckerci/plugin-kaniko plugin.
• Placement: Logically placed after insecure-registry, which groups the insecure-transport settings together.
• No side effects: This flag only skips the permission pre-check. Kaniko still authenticates via the username/password secrets when performing the actual push.

SOP Compliance

• PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related Notes)
• Closes #23 present for auto-close
• Cross-repo reference to parent issue forgejo_admin/pal-e-platform#193
• No secrets committed
• No unrelated file changes
• Commit message is descriptive with proper refs

Nits

None.

---

VERDICT: APPROVE

## QA Review ### Diff Analysis Single-line addition to `.woodpecker.yaml`: adds `extra_opts: "--skip-push-permission-check"` to the Kaniko plugin settings in the `build-and-push` step. ### Domain Review (CI/Kaniko) - **Correct flag**: `--skip-push-permission-check` is a valid Kaniko flag that bypasses the pre-push credential/permission probe. This is the right fix for insecure (HTTP-only) registries where the HTTPS permission check fails. - **Correct plugin setting**: `extra_opts` is the documented way to pass additional flags to Kaniko via the `woodpeckerci/plugin-kaniko` plugin. - **Placement**: Logically placed after `insecure-registry`, which groups the insecure-transport settings together. - **No side effects**: This flag only skips the permission pre-check. Kaniko still authenticates via the `username`/`password` secrets when performing the actual push. ### SOP Compliance - [x] PR body follows template (Summary, Changes, Test Plan, Review Checklist, Related Notes) - [x] `Closes #23` present for auto-close - [x] Cross-repo reference to parent issue `forgejo_admin/pal-e-platform#193` - [x] No secrets committed - [x] No unrelated file changes - [x] Commit message is descriptive with proper refs ### Nits None. --- **VERDICT: APPROVE**

forgejo_admin merged commit 2fb92fad8b into main 2026-03-27 05:21:00 +00:00

forgejo_admin deleted branch 193-kaniko-skip-push-check 2026-03-27 05:21:00 +00:00

forgejo_admin referenced this pull request from a commit 2026-03-27 05:21:01 +00:00

fix: Kaniko skip-push-permission-check (#193) (#24)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-contracts!24

No description provided.