kaniko-executor 1.25.15 (Chainguard fork) shipped an overly-strict
securejoin path check (upstream PR #326) that rejects valid `..`-relative
symlinks resolving to an in-image absolute path, e.g. the Java trust-store
link /etc/pki/java/cacerts, failing the build during tar extraction with
"symlink target ... resolves outside destination".
Upstream fixed this in chainguard-forks/kaniko v1.25.16 (PR #440, "store
symlink targets verbatim during tar extraction"). Bump FROM base image and
KANIKO_VERSION 1.25.15 -> 1.25.16 across all registry variants
(docker/ecr/gcr/acr/gar, amd64 + arm64).
Depends on harnesscommunity/kaniko-executor:1.25.16-linux-{amd64,arm64}
being published to Docker Hub before this can be built/released.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>