generated from pandora/woodpecker-plugin.template

Woodpecker plugin for skopeo.

Go 93%
Dockerfile 7%

Find a file

renovate-bot 754a6b97a0 All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/cron/renovate Pipeline was successful Details ci/woodpecker/tag/release Pipeline was successful Details ci/woodpecker/cron/auto_merge Pipeline was successful Details Update all dependencies to v0.21.7 #15 Merged automatically		2026-06-18 03:08:24 +00:00
test_dir	Add dhi.io keychain (#14 )	2026-06-02 20:27:50 +00:00
.gitignore	Initial commit	2026-04-11 19:49:59 +00:00
.goreleaser.yaml	Initial commit	2026-04-11 19:49:59 +00:00
.markdownlint.json	Initial commit	2026-04-11 19:49:59 +00:00
.prettierrc	Initial commit	2026-04-11 19:49:59 +00:00
.test.env	Add dhi.io keychain (#14 )	2026-06-02 20:27:50 +00:00
Containerfile	Update gcr.io/distroless/static-debian13:nonroot Docker digest to dfadf31 #6	2026-05-18 07:41:46 +00:00
go.mod	Update all dependencies to v0.21.7 #15	2026-06-18 03:08:24 +00:00
go.sum	Update all dependencies to v0.21.7 #15	2026-06-18 03:08:24 +00:00
image.go	Add dhi.io keychain (#14 )	2026-06-02 20:27:50 +00:00
LICENSE	Initial commit	2026-04-11 19:49:59 +00:00
main.go	Add dhi.io keychain (#14 )	2026-06-02 20:27:50 +00:00
README.md	Add dhi.io keychain (#14 )	2026-06-02 20:27:50 +00:00
renovate.json	Initial commit	2026-04-11 19:49:59 +00:00

README.md

Image copy Woodpecker CI plugin

This plugin copies images between registries. It has two way to call depends on the target environment.

Sample images.ini file:

TargetRegistry=test-home.lan:3000
ProdOwner=ati
StagingOwner=foo-org
Image=gcr.io/distroless/static-debian13:nonroot@sha256:64c43684e6d2b581d1eb362ea47b6a4defee6a9cac5f7ebbda3daa67e8c9b8e6
Image=gcr.io/distroless/base-debian13:nonroot@sha256:6a6b038a85cd9e1e540bd8aae8684d9ac7756afe570bb4cc49320269704b2b3a
Image=codeberg.org/forgejo/forgejo:14.0.3-rootless@sha256:097085e8a67e8793439a3ce2fe7b74ee7c28ef9073268a9d5d3d923864ba125c

It has three modes:

Copy from source to staging registry: mode: staging
Copy from staging registry to production: mode: production
Perform validation on the config file: mode: validation

The validation contains the following:

Parse the images.ini file.
Verify that images are exists in the config file.

Ideal workflow looks like:

Renovate update the images.ini file in case of new version.
After merge happen, for the main push event, this plugin is called with staging environment. So if anything would happen with the source, image already saved.
After that a security check is done, and if no critical CVE, then this plugin called again with production environment.

Usage

No technical restriction, plugin can be used at any event.

Sample for staging mode:

steps:
  - name: Copy to staging environment
    image: code.thinkaboutit.tech/pandora/image-copy.woodpecker:latest
    settings:
      debug: true
      mode: staging
      forgejo_token:
        from_secret: ci-token
      forgejo_user: ci-user

Sample for validation mode:

steps:
  - name: Copy to staging environment
    image: code.thinkaboutit.tech/pandora/image-copy.woodpecker:latest
    settings:
      debug: true
      mode: validation
      forgejo_token: placeholder
      forgejo_user: placeholder

Access token needs to have read:repository,write:package scopes.

Settings

Name	Default value	Description
file_all_images	images_list	File that contains all images
file_ok_images	ok_images_list	File that contains images that are copied
file_images_ini	images.ini	Path to the configuration file
forgejo_user*		Used for authentucation in staging and prod
forgejo_token*		Used for authentiation for staging and prod
dhi_user		User for Docker Hardened Images
dhi_token		Access token for Docker Hardened Images
mode		It can be 'staging', 'production' or 'validation'
allow_insecure	false	Enable to use insecure registry

*: For 'validation' mode, they are not used, but must have a placeholder value.