feat: migrate to GitLab CI/CD component

60f2c3f6 · Pierre Smeyers · Cédric OLIVIER · b8b40b73 · 60f2c3f6 · 60f2c3f6
Commit 60f2c3f6 authored 1 year ago by Pierre Smeyers Committed by Cédric OLIVIER 1 year ago
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ include:
    file: '/templates/validation.yml'
  - project: 'to-be-continuous/bash'
    ref: '3.3'
-    file: 'templates/gitlab-ci-bash.yml'
+    file: '/templates/gitlab-ci-bash.yml'
  - project: 'to-be-continuous/semantic-release'
    ref: '3.7'
    file: '/templates/gitlab-ci-semrel.yml'    

--- a/README.md
+++ b/README.md
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."

  # replace in README
-  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md

  # replace in template and variants
  for tmpl in templates/*.yml
  do
-    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
+    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
    mv -f "$tmpl.next" "$tmpl"
  done
 else

--- a/kicker.json
+++ b/kicker.json
@@ -3,6 +3,8 @@
  "description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)",
  "template_path": "templates/gitlab-ci-docker.yml",
  "kind": "package",
+  "prefix": "docker",
+  "is_component": true,
  "variables": [
    {
      "name": "DOCKER_BUILD_TOOL",
@@ -39,7 +41,7 @@
    {
      "name": "DOCKER_FILE",
      "description": "The path to your `Dockerfile`",
-      "default": "$CI_PROJECT_DIR/Dockerfile"
+      "default": "Dockerfile"
    },
    {
      "name": "DOCKER_CONTEXT_PATH",
@@ -265,6 +267,12 @@
          "default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main",
          "advanced": true
        },
+        {
+          "name": "GCP_OIDC_AUD",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "default": "$CI_SERVER_URL",
+          "advanced": true
+        },
        {
          "name": "GCP_OIDC_ACCOUNT",
          "description": "Default Service Account to which impersonate with OpenID Connect authentication"
@@ -275,22 +283,22 @@
        },
        {
          "name": "GCP_SNAPSHOT_OIDC_ACCOUNT",
-          "description": "Service Account to use to push the snapshot image _(only define if different from default)_",
+          "description": "Service Account to use to push the snapshot image _(only define to override default)_",
          "advanced": true
        },
        {
          "name": "GCP_SNAPSHOT_OIDC_PROVIDER",
-          "description": "Workload Identity Provider to push the snapshot image _(only define if different from default)_",
+          "description": "Workload Identity Provider to push the snapshot image _(only define to override default)_",
          "advanced": true
        },
        {
          "name": "GCP_RELEASE_OIDC_ACCOUNT",
-          "description": "Service Account to use to push the release image _(only define if different from default)_",
+          "description": "Service Account to use to push the release image _(only define to override default)_",
          "advanced": true
        },
        {
          "name": "GCP_RELEASE_OIDC_PROVIDER",
-          "description": "Workload Identity Provider to push the release image _(only define if different from default)_",
+          "description": "Workload Identity Provider to push the release image _(only define to override default)_",
          "advanced": true
        }
      ]
@@ -313,12 +321,12 @@
        },
        {
          "name": "AWS_SNAPSHOT_REGION",
-          "description": "Region of the ECR registry for the snapshot image _(only define if different from default)_",
+          "description": "Region of the ECR registry for the snapshot image _(only define to override default)_",
          "advanced": true
        },
        {
          "name": "AWS_RELEASE_REGION",
-          "description": "Region of the ECR registry for the release image _(only define if different from default)_",
+          "description": "Region of the ECR registry for the release image _(only define to override default)_",
          "advanced": true
        },
        {

--- a/logo.png
+++ b/logo.png
--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
 # =====================================================================================================================
 # === AWS Auth template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    aws-region:
+      description: Default region (where the ECR registry is located)
+      default: ''
+    aws-snapshot-region:
+      description: Region of the ECR registry for the snapshot image _(only define if
+        different from default)_
+      default: ''
+    aws-release-region:
+      description: Region of the ECR registry for the release image _(only define if
+        different from default)_
+      default: ''
+    aws-oidc-aud:
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: $CI_SERVER_URL
+    aws-oidc-role-arn:
+      description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
+        authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: ''
+    aws-snapshot-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab for the snapshot image _(only
+        required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+        and if different from default)_
+      default: ''
+    aws-release-oidc-role-arn:
+      description: IAM Role ARN associated with GitLab for the release image _(only
+        required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+        and if different from default)_
+      default: ''
+---
 variables:
-  TBC_AWS_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master"
-  AWS_OIDC_AUD: "$CI_SERVER_URL"
+  TBC_AWS_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/aws-auth-provider:master
+  AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]
+  AWS_REGION: $[[ inputs.aws-region ]]
+  AWS_SNAPSHOT_REGION: $[[ inputs.aws-snapshot-region ]]
+  AWS_RELEASE_REGION: $[[ inputs.aws-release-region ]]
+  AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]
+  AWS_SNAPSHOT_OIDC_ROLE_ARN: $[[ inputs.aws-snapshot-oidc-role-arn ]]
+  AWS_RELEASE_OIDC_ROLE_ARN: $[[ inputs.aws-release-oidc-role-arn ]]

 .docker-base:
  services:

--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
 # =====================================================================================================================
 # === GCP Auth template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    gcp-oidc-aud:
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      default: $CI_SERVER_URL
+    gcp-oidc-account:
+      description: Default Service Account to which impersonate with OpenID Connect
+        authentication
+      default: ''
+    gcp-oidc-provider:
+      description: Default Workload Identity Provider associated with GitLab to [authenticate
+        with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+      default: ''
+    gcp-snapshot-oidc-account:
+      description: Service Account to use to push the snapshot image _(only define if
+        different from default)_
+      default: ''
+    gcp-snapshot-oidc-provider:
+      description: Workload Identity Provider to push the snapshot image _(only define
+        if different from default)_
+      default: ''
+    gcp-release-oidc-account:
+      description: Service Account to use to push the release image _(only define if
+        different from default)_
+      default: ''
+    gcp-release-oidc-provider:
+      description: Workload Identity Provider to push the release image _(only define
+        if different from default)_
+      default: ''
+---
 variables:
-  TBC_GCP_PROVIDER_IMAGE: "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main"
-  GCP_OIDC_AUD: "$CI_SERVER_URL"
-
+  TBC_GCP_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main
+  GCP_OIDC_AUD: $[[ inputs.gcp-oidc-aud ]]
+  GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]
+  GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]
+  GCP_SNAPSHOT_OIDC_ACCOUNT: $[[ inputs.gcp-snapshot-oidc-account ]]
+  GCP_SNAPSHOT_OIDC_PROVIDER: $[[ inputs.gcp-snapshot-oidc-provider ]]
+  GCP_RELEASE_OIDC_ACCOUNT: $[[ inputs.gcp-release-oidc-account ]]
+  GCP_RELEASE_OIDC_PROVIDER: $[[ inputs.gcp-release-oidc-provider ]]
+  
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"

--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
 # =====================================================================================================================
 # === Vault template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    vault-base-url:
+      description: The Vault server base API url
+      default: ''
+    vault-oidc-aud:
+      description: The `aud` claim for the JWT
+      default: $CI_SERVER_URL
+---
 variables:
  # variabilized vault-secrets-provider image
-  TBC_VAULT_IMAGE: "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master"
+  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master
+  VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
  # variables have to be explicitly declared in the YAML to be exported to the service
  VAULT_ROLE_ID: "$VAULT_ROLE_ID"
  VAULT_SECRET_ID: "$VAULT_SECRET_ID"
-  VAULT_OIDC_AUD: "$CI_SERVER_URL"
+  VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]

 .docker-base:
  services:

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -13,6 +13,183 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
+spec:
+  inputs:
+    build-tool:
+      description: The build tool to use for building container image
+      options:
+      - kaniko
+      - buildah
+      - dind
+      default: kaniko
+    kaniko-image:
+      description: |-
+        The image used to run kaniko
+
+        _for kaniko build only_
+      default: gcr.io/kaniko-project/executor:debug
+    buildah-image:
+      description: |-
+        The image used to run buildah
+
+        _for buildah build only_
+      default: quay.io/buildah/stable:latest
+    image:
+      description: |-
+        The image used to run the docker client
+
+        _for Docker-in-Docker(dind) build only_
+      default: registry.hub.docker.com/library/docker:latest
+    dind-image:
+      description: |-
+        The image used to run the Docker daemon
+
+        _for Docker-in-Docker(dind) build only_
+      default: registry.hub.docker.com/library/docker:dind
+    skopeo-image:
+      description: The image used to publish docker image with Skopeo
+      default: quay.io/skopeo/stable:latest
+    file:
+      description: The path to your `Dockerfile`
+      default: Dockerfile
+    context-path:
+      description: The Docker [context path](https://docs.docker.com/engine/reference/commandline/build/#build-with-path) (working directory) - _only set if you want a context path different from the Dockerfile location_
+      default: ''
+    config-file:
+      description: Path to the [Docker configuration file](https://docs.docker.com/engine/reference/commandline/cli/#sample-configuration-file) (JSON)
+      default: .docker/config.json
+    snapshot-image:
+      description: Docker snapshot image
+      default: $CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG
+    release-image:
+      description: Docker release image
+      default: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+    release-extra-tags-pattern:
+      description: |-
+        Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups)
+
+        Defaults to [SemVer](https://semver.org/) pattern.
+      default: ^v?(?P<major>[0-9]+)\.(?P<minor>[0-9]+)\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\.]+)?(?P<build>\+[0-9A-Za-z-\.]+)?)$
+    release-extra-tags:
+      description: |-
+        Defines extra tags to publish the _release_ image
+
+        Supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` (ex: `latest \g<major>.\g<minor> \g<major>`)
+      default: ''
+    build-args:
+      description: Additional docker/kaniko/buildah build arguments
+      default: ''
+    build-cache-disabled:
+      description: Disable the build cache
+      type: boolean
+      default: false
+    metadata:
+      description: Additional metadata to set as labels
+      default: >-
+        --label org.opencontainers.image.url=${CI_PROJECT_URL}
+        --label org.opencontainers.image.source=${CI_PROJECT_URL}
+        --label org.opencontainers.image.title=${CI_PROJECT_PATH}
+        --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
+        --label org.opencontainers.image.revision=${CI_COMMIT_SHA}
+        --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
+    publish-args:
+      description: Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)
+      default: ''
+    prod-publish-strategy:
+      description: Defines the publish to production strategy.
+      options:
+      - none
+      - manual
+      - auto
+      default: manual
+    semrel-release-disabled:
+      description: Disable integration with the [semantic release template](https://gitlab.com/to-be-continuous/semantic-release/)
+      type: boolean
+      default: false
+    registry-mirror:
+      description: |-
+        URL of a Docker registry mirror to use instead of default `https://index.docker.io`
+
+        _Used by `kaniko` and `dind` builds only_
+      default: ''
+    container-registries-config-file:
+      description: |-
+        The [registries.conf](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used
+
+        _Used by the `buildah` build only_
+      default: ''
+    kaniko-snapshot-image-cache:
+      description: |-
+        Snapshot image repository that will be used to store cached layers.
+
+        _Used by the `kaniko` build only_
+      default: ${DOCKER_SNAPSHOT_IMAGE%:*}/cache
+    lint-enabled:
+      description: Enable dockerfile-lint
+      type: boolean
+      default: false
+    lint-image:
+      description: The docker image to lint your Dockerfile
+      default: registry.hub.docker.com/projectatomic/dockerfile-lint:latest
+    lint-args:
+      description: Additional `dockerfile_lint` arguments
+      default: ''
+    hadolint-disabled:
+      description: Disable Hadolint
+      type: boolean
+      default: false
+    hadolint-image:
+      description: The docker image to lint your Dockerfile with Hadolint
+      default: registry.hub.docker.com/hadolint/hadolint:latest-alpine
+    hadolint-args:
+      description: Additional `hadolint` arguments
+      default: ''
+    healthcheck-disabled:
+      description: Disable Health Check
+      type: boolean
+      default: false
+    healthcheck-timeout:
+      description: When testing an image, how long (in seconds) wait for the HealthCheck status
+      type: number
+      default: 60
+    healthcheck-options:
+      description: Docker options for health check such as port mapping, environment...
+      default: ''
+    healthcheck-container-args:
+      description: Arguments sent to the running container for health check
+      default: ''
+    trivy-disabled:
+      description: Disable Trivy
+      type: boolean
+      default: false
+    trivy-image:
+      description: The docker image used to scan images with Trivy
+      default: registry.hub.docker.com/aquasec/trivy:latest
+    trivy-addr:
+      description: The Trivy server address
+      default: ''
+    trivy-security-level-threshold:
+      description: 'Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
+      options:
+      - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+      - LOW,MEDIUM,HIGH,CRITICAL
+      - MEDIUM,HIGH,CRITICAL
+      - HIGH,CRITICAL
+      - CRITICAL
+      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+    trivy-args:
+      description: Additional `trivy client` arguments
+      default: --ignore-unfixed --vuln-type os --exit-on-eol 1
+    sbom-disabled:
+      description: Disable Software Bill of Materials
+      type: boolean
+      default: false
+    sbom-image:
+      default: registry.hub.docker.com/anchore/syft:debug
+    sbom-opts:
+      description: Options for syft used for SBOM analysis
+      default: --catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger
+---
 # default workflow rules: Merge Request pipelines
 workflow:
  rules:
@@ -57,40 +234,36 @@ workflow:

 variables:
  # variabilized tracking image
-  TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"
+  TBC_TRACKING_IMAGE: registry.gitlab.com/to-be-continuous/tools/tracking:master
+  DOCKER_LINT_IMAGE: $[[ inputs.lint-image ]]
+  DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]
+  DOCKER_IMAGE: $[[ inputs.image ]]
+  DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]]
+  DOCKER_KANIKO_IMAGE: $[[ inputs.kaniko-image ]]
+  DOCKER_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
+  DOCKER_BUILDAH_IMAGE: $[[ inputs.buildah-image ]]

-  DOCKER_HADOLINT_IMAGE: "registry.hub.docker.com/hadolint/hadolint:latest-alpine"
-  DOCKER_IMAGE: "registry.hub.docker.com/library/docker:latest"
-  DOCKER_DIND_IMAGE: "registry.hub.docker.com/library/docker:dind"
-  DOCKER_KANIKO_IMAGE: "gcr.io/kaniko-project/executor:debug"
-  DOCKER_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest"
-  DOCKER_BUILDAH_IMAGE: "quay.io/buildah/stable:latest"
-
-  # for retro-compatibility (deprecated & undocumented)
-  DOCKER_DOCKERFILE_PATH: "."
-  DOCKER_FILE: "$DOCKER_DOCKERFILE_PATH/Dockerfile"
-  DOCKER_CONFIG_FILE: ".docker/config.json"
+  DOCKER_FILE: $[[ inputs.file ]]
+  DOCKER_CONFIG_FILE: $[[ inputs.config-file ]]

  # When testing a Docker Health (test stage), how long (in seconds) wait for the HealthCheck status (https://docs.docker.com/engine/reference/builder/#healthcheck)
-  DOCKER_HEALTHCHECK_TIMEOUT: "60"
+  DOCKER_HEALTHCHECK_TIMEOUT: $[[ inputs.healthcheck-timeout ]]

  # Default Docker config uses the internal GitLab registry
-  DOCKER_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
-  DOCKER_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
-
-  DOCKER_KANIKO_VERBOSITY: "info"
+  DOCKER_SNAPSHOT_IMAGE: $[[ inputs.snapshot-image ]]
+  DOCKER_RELEASE_IMAGE: $[[ inputs.release-image ]]

-  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-  DOCKER_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest"
-  DOCKER_TRIVY_ARGS: "--ignore-unfixed --vuln-type os --exit-on-eol 1"
+  DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
+  DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
+  DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]

  # SBOM genenration image and arguments
-  DOCKER_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug"
-  DOCKER_SBOM_OPTS: "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger"
+  DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
+  DOCKER_SBOM_OPTS: $[[ inputs.sbom-opts ]]

  # default: one-click publish
-  DOCKER_PROD_PUBLISH_STRATEGY: manual
-  DOCKER_RELEASE_EXTRA_TAGS_PATTERN: "^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$"
+  DOCKER_PROD_PUBLISH_STRATEGY: $[[ inputs.prod-publish-strategy ]]
+  DOCKER_RELEASE_EXTRA_TAGS_PATTERN: $[[ inputs.release-extra-tags-pattern ]]

  # default production ref name (pattern)
  PROD_REF: '/^(master|main)$/'
@@ -98,22 +271,30 @@ variables:
  INTEG_REF: '/^develop$/'

  # don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)
-  DOCKER_METADATA: >-
-    --label org.opencontainers.image.url=${CI_PROJECT_URL}
-    --label org.opencontainers.image.source=${CI_PROJECT_URL}
-    --label org.opencontainers.image.title=${CI_PROJECT_PATH}
-    --label org.opencontainers.image.ref.name=${CI_COMMIT_REF_NAME}
-    --label org.opencontainers.image.revision=${CI_COMMIT_SHA}
-    --label org.opencontainers.image.created=${CI_JOB_STARTED_AT}
+  DOCKER_METADATA: $[[ inputs.metadata ]]

  # default to kaniko, possible options : kaniko|buildah|dind
-  DOCKER_BUILD_TOOL:
-    value: "kaniko"
-    options:
-      - "kaniko"
-      - "buildah"
-      - "dind"
-    description: "The build tool to use for building container image"
+  DOCKER_BUILD_TOOL: $[[ inputs.build-tool ]]
+
+  DOCKER_CONTEXT_PATH: $[[ inputs.context-path ]]
+  DOCKER_RELEASE_EXTRA_TAGS: $[[ inputs.release-extra-tags ]]
+  DOCKER_BUILD_ARGS: $[[ inputs.build-args ]]
+  DOCKER_BUILD_CACHE_DISABLED: $[[ inputs.build-cache-disabled ]]
+  DOCKER_PUBLISH_ARGS: $[[ inputs.publish-args ]]
+  DOCKER_SEMREL_RELEASE_DISABLED: $[[ inputs.semrel-release-disabled ]]
+  DOCKER_REGISTRY_MIRROR: $[[ inputs.registry-mirror ]]
+  CONTAINER_REGISTRIES_CONFIG_FILE: $[[ inputs.container-registries-config-file ]]
+  KANIKO_SNAPSHOT_IMAGE_CACHE: $[[ inputs.kaniko-snapshot-image-cache ]]
+  DOCKER_LINT_ENABLED: $[[ inputs.lint-enabled ]]
+  DOCKER_LINT_ARGS: $[[ inputs.lint-args ]]
+  DOCKER_HADOLINT_DISABLED: $[[ inputs.hadolint-disabled ]]
+  DOCKER_HADOLINT_ARGS: $[[ inputs.hadolint-args ]]
+  DOCKER_HEALTHCHECK_DISABLED: $[[ inputs.healthcheck-disabled ]]
+  DOCKER_HEALTHCHECK_OPTIONS: $[[ inputs.healthcheck-options ]]
+  DOCKER_HEALTHCHECK_CONTAINER_ARGS: $[[ inputs.healthcheck-container-args ]]
+  DOCKER_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
+  DOCKER_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
+  DOCKER_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]

 # ==================================================
 # Stages definition
@@ -438,9 +619,9 @@ stages:
      kaniko_registry_mirror_option="--registry-mirror $(echo ${DOCKER_REGISTRY_MIRROR} | sed "s|^https*://||")"
    fi
    log_info "Build & deploy image $docker_image"
-    log_info "Kaniko command: /kaniko/executor --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} --verbosity $DOCKER_KANIKO_VERBOSITY $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*"
+    log_info "Kaniko command: /kaniko/executor --context $(docker_context_path) --dockerfile $DOCKER_FILE --destination $docker_image ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS $*"
    # shellcheck disable=SC2086
-    /kaniko/executor --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} --verbosity $DOCKER_KANIKO_VERBOSITY $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@"
+    /kaniko/executor ${TRACE+--verbosity debug} --context "$(docker_context_path)" --dockerfile "$DOCKER_FILE" --destination "$docker_image" ${kaniko_cache_args} $kaniko_registry_mirror_option $DOCKER_METADATA $DOCKER_BUILD_ARGS "$@"
  }

  # Used by containers tools like buildah, skopeo.