update kaniko-executor base image to 1.25.0 from chaingaurds maintained fork (#150 )

push-only support to Kaniko ACR (#148 )
feat: [CI-17517]: Add push-only support for Kaniko-GAR (#147 )
2026-06-04 18:23:49 +08:00 · 2025-07-03 19:14:28 +05:30 · 2025-06-03 22:17:47 +05:30 · 2025-05-13 21:30:09 +05:30 · 2025-05-12 20:38:33 +05:30 · 2025-04-25 18:11:30 +05:30
39 changed files with 2278 additions and 206 deletions
@@ -11,7 +11,7 @@ platform:

 steps:
 - name: build
-  image: golang:1.22
+  image: golang:1.22.4
  commands:
  - go test ./...
  - sh scripts/build.sh
@@ -178,7 +178,7 @@ pool:

 steps:
 - name: build
-  image: golang:1.22
+  image: golang:1.22.4
  commands:
  - go test ./...
  - sh scripts/build.sh
@@ -0,0 +1,14 @@
+inputSet:
+  name: event-PR
+  identifier: eventPR
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: PR
+            spec:
+              number: <+trigger.prNumber>
@@ -0,0 +1,14 @@
+inputSet:
+  name: event-Push
+  identifier: eventPush
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: branch
+            spec:
+              branch: <+trigger.branch>
@@ -0,0 +1,14 @@
+inputSet:
+  name: event-Tag
+  identifier: eventTag
+  orgIdentifier: default
+  projectIdentifier: Drone_Plugins
+  pipeline:
+    identifier: dronekanikoharness
+    properties:
+      ci:
+        codebase:
+          build:
+            type: tag
+            spec:
+              tag: <+trigger.tag>
@@ -0,0 +1,656 @@
+pipeline:
+  name: drone-kaniko-harness
+  identifier: dronekanikoharness
+  projectIdentifier: Drone_Plugins
+  orgIdentifier: default
+  tags: {}
+  properties:
+    ci:
+      codebase:
+        connectorRef: GitHub_Drone_Org
+        repoName: drone-kaniko
+        build: <+input>
+        sparseCheckout: []
+  stages:
+    - parallel:
+        - stage:
+            name: linux-amd64
+            identifier: linuxamd64
+            description: ""
+            type: CI
+            spec:
+              cloneCodebase: true
+              caching:
+                enabled: false
+                paths: []
+              platform:
+                os: Linux
+                arch: Amd64
+              runtime:
+                type: Cloud
+                spec: {}
+              execution:
+                steps:
+                  - step:
+                      type: Run
+                      name: Build Binary
+                      identifier: Build
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: golang:1.23.0
+                        shell: Sh
+                        command: |-
+                          go test ./...
+                          sh scripts/build.sh
+                  - parallel:
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag
+                          identifier: BuildAndPushDockerTag
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-amd64
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: _<+matrix.repo>
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag_Kaniko
+                          identifier: BuildAndPushDockerTag_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-amd64-kaniko1.9.1
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: <+matrix.repo>
+                  - parallel:
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch
+                          identifier: BuildAndPushDockerBranch
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-amd64
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: <+matrix.repo>
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch_Kaniko
+                          identifier: BuildAndPushDockerBranch_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-amd64-kaniko1.9.1
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64.kaniko1.9.1
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+            when:
+              pipelineStatus: Success
+        - stage:
+            name: linux-arm64
+            identifier: linuxarm64
+            description: ""
+            type: CI
+            spec:
+              cloneCodebase: true
+              caching:
+                enabled: false
+                paths: []
+              platform:
+                os: Linux
+                arch: Arm64
+              runtime:
+                type: Cloud
+                spec: {}
+              execution:
+                steps:
+                  - step:
+                      type: Run
+                      name: Build Binary
+                      identifier: Build_and_Test
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: golang:1.23.0
+                        shell: Sh
+                        command: |-
+                          go test ./...
+                          sh scripts/build.sh
+                  - parallel:
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag
+                          identifier: BuildAndPushDockerTag
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-arm64
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: _<+matrix.repo>
+                      - step:
+                          type: Plugin
+                          name: BuildAndPushDockerTag_Kaniko
+                          identifier: BuildAndPushDockerTag_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            image: plugins/docker
+                            settings:
+                              username: drone
+                              password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                              repo: plugins/kaniko<+matrix.image>
+                              dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
+                              auto_tag: "true"
+                              auto_tag_suffix: linux-arm64-kaniko1.9.1
+                              daemon_off: "false"
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "tag"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+                  - parallel:
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch
+                          identifier: BuildAndPushDockerBranch
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-arm64
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                                - "-acr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                                - acr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: ""
+                                  repo: acr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: acr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: acr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                                - image: "-ecr"
+                                  repo: acr
+                                - image: "-acr"
+                                  repo: docker
+                                - image: "-acr"
+                                  repo: gcr
+                                - image: "-acr"
+                                  repo: gar
+                                - image: "-acr"
+                                  repo: ecr
+                              nodeName: <+matrix.repo>
+                      - step:
+                          type: BuildAndPushDockerRegistry
+                          name: BuildAndPushDockerBranch_Kaniko
+                          identifier: BuildAndPushDockerBranch_Kaniko
+                          spec:
+                            connectorRef: Plugins_Docker_Hub_Connector
+                            repo: plugins/kaniko<+matrix.image>
+                            tags:
+                              - linux-arm64-kaniko1.9.1
+                            caching: false
+                            dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64.kaniko1.9.1
+                          when:
+                            stageStatus: Success
+                            condition: <+codebase.build.type> == "branch"
+                          strategy:
+                            matrix:
+                              image:
+                                - ""
+                                - "-gcr"
+                                - "-gar"
+                                - "-ecr"
+                              repo:
+                                - docker
+                                - gcr
+                                - gar
+                                - ecr
+                              exclude:
+                                - image: ""
+                                  repo: gcr
+                                - image: ""
+                                  repo: gar
+                                - image: ""
+                                  repo: ecr
+                                - image: "-gcr"
+                                  repo: docker
+                                - image: "-gcr"
+                                  repo: gar
+                                - image: "-gcr"
+                                  repo: ecr
+                                - image: "-gar"
+                                  repo: docker
+                                - image: "-gar"
+                                  repo: gcr
+                                - image: "-gar"
+                                  repo: ecr
+                                - image: "-ecr"
+                                  repo: docker
+                                - image: "-ecr"
+                                  repo: gcr
+                                - image: "-ecr"
+                                  repo: gar
+                              nodeName: _<+matrix.repo>
+            when:
+              pipelineStatus: Success
+    - stage:
+        name: Manifest
+        identifier: Manifest
+        description: ""
+        type: CI
+        spec:
+          cloneCodebase: true
+          caching:
+            enabled: false
+            paths: []
+          platform:
+            os: Linux
+            arch: Amd64
+          runtime:
+            type: Cloud
+            spec: {}
+          execution:
+            steps:
+              - parallel:
+                  - step:
+                      type: Plugin
+                      name: Manifest
+                      identifier: Manifest
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: plugins/manifest
+                        settings:
+                          auto_tag: "true"
+                          spec: docker/<+matrix.repo>/manifest.tmpl
+                          username: drone
+                          password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                          ignore_missing: "true"
+                      when:
+                        stageStatus: Success
+                        condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
+                      strategy:
+                        matrix:
+                          repo:
+                            - docker
+                            - gcr
+                            - gar
+                            - ecr
+                            - acr
+                          nodeName: manifest_<+matrix.repo>
+                  - step:
+                      type: Plugin
+                      name: Manifest_kaniko191
+                      identifier: Manifest_kaniko
+                      spec:
+                        connectorRef: Plugins_Docker_Hub_Connector
+                        image: plugins/manifest
+                        settings:
+                          auto_tag: "false"
+                          spec: docker/<+matrix.repo>/manifest-kaniko1.9.1.tmpl
+                          username: drone
+                          password: <+secrets.getValue("Plugins_Docker_Hub_Pat")>
+                          ignore_missing: "true"
+                      when:
+                        stageStatus: Success
+                        condition: <+codebase.build.type> == "branch" || <+codebase.build.type> == "tag"
+                      strategy:
+                        matrix:
+                          repo:
+                            - docker
+                            - gcr
+                            - gar
+                            - ecr
+                          nodeName: manifest_<+matrix.repo>
+        when:
+          pipelineStatus: Success
+  allowStageExecutions: true
@@ -4,6 +4,13 @@ Drone kaniko plugin uses [kaniko](https://github.com/GoogleContainerTools/kaniko

 Plugin images are published with 1.6.0 as well as 1.9.1 kaniko version from 1.5.1 release tag. `plugins/kaniko:<release-tag>` uses 1.6.0 version while `plugins/kaniko:<release-tag>-kaniko1.9.1` uses 1.9.1 version. Similar convention is used for plugins/kaniko-ecr & plugins/kaniko-gcr images as well.

+Run the following script to install git-leaks support to this repo.
+
+```
+chmod +x ./git-hooks/install.sh
+./git-hooks/install.sh
+```
+
 ## Build

 Build the binaries with the following commands:
@@ -29,7 +36,7 @@ docker build \
  --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
  --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
  --file docker/docker/Dockerfile.linux.amd64 --tag plugins/kaniko .
-  
+
 docker build \
  --label org.label-schema.build-date=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
  --label org.label-schema.vcs-ref=$(git rev-parse --short HEAD) \
@@ -47,6 +54,33 @@ docker build \
 ```

 ## Usage
+
+### Operation Modes
+
+Default Mode (Build and Push):
+
+When neither `no_push` nor `push_only` is provided. Plugin builds and pushes the Docker image to a container registry.
+
+Build-Only Mode (no-push):
+
+When `no_push` is true and `destination_tar_path` is defined.
+Plugin performs only the image build operation and saves the resulting image tarball to the specified `destination_tar_path`
+It does not push the image to any registry.
+
+Push-Only Mode (push-only):
+
+When `push_only` is true and `source_tar_path` is defined.
+Plugin loads an existing image tarball from the specified `source_tar_path`
+and pushes the loaded image to a Container Registry.
+It skips the build process.
+
+### Mutually Exclusive Inputs
+
+If both `no_push` and `push_only` inputs are provided, the plugin will:
+
+Terminate the operation and
+throw an error with the message: "Inputs no-push and push-only cannot be used together. Please define only one."
+
 ### Manual Tagging

 ```console
@@ -73,6 +107,7 @@ docker run --rm \
    -w /drone \
    plugins/kaniko:linux-amd64
 ```
+
 would both be equivalent to

 ```
@@ -82,7 +117,7 @@ PLUGIN_TAGS=1,1.2,1.2.3,latest
 This allows for passing `$DRONE_TAG` directly as a tag for repos that use [semver](https://semver.org) tags.

 To avoid confusion between repo tags and image tags, `PLUGIN_EXPAND_TAG` also recognizes a semantic version
-without the `v` prefix.  As such, the following is also equivalent to the above:
+without the `v` prefix. As such, the following is also equivalent to the above:

 ```console
 docker run --rm \
@@ -94,6 +129,7 @@ docker run --rm \
 ```

 ### Auto Tagging
+
 The [auto tag feature](https://plugins.drone.io/drone-plugins/drone-docker) of docker plugin is also supported.

 When auto tagging is enabled, if any of the case is matched below, a docker build will be pushed with auto generated tags. Otherwise the docker build will be skipped.
@@ -115,6 +151,7 @@ docker run --rm \
 ```

 Tags to push:
+
 - 1.2.3
 - 1.2
 - 1
@@ -135,4 +172,5 @@ docker run --rm \
 ```

 Tags to push:
+
 - latest
@@ -13,6 +13,8 @@ import (

 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -206,6 +208,21 @@ func main() {
 			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
 			EnvVar: "PLUGIN_NO_PUSH",
 		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Set this flag if you only want to push a pre-built image from a tarball",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Path to the local tarball to be pushed when push-only is set",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
+		},
 		cli.StringFlag{
 			Name:   "verbosity",
 			Usage:  "Set this flag with value as oneof <panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -380,6 +397,11 @@ func main() {
 }

 func run(c *cli.Context) error {
+	// Check if push-only flag is set
+	if c.Bool("push-only") {
+		return handlePushOnly(c)
+	}
+
 	registry := c.String("registry")
 	noPush := c.Bool("no-push")

@@ -451,6 +473,7 @@ func run(c *cli.Context) error {
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
@@ -470,6 +493,12 @@ func run(c *cli.Context) error {
 		flag := c.Bool("ignore-var-run")
 		plugin.Build.IgnoreVarRun = &flag
 	}
+
+	// Set tar-path if provided
+	if c.IsSet("tar-path") {
+		plugin.Build.TarPath = c.String("tar-path")
+	}
+
 	return plugin.Exec()
 }

@@ -479,25 +508,32 @@ func setupAuth(tenantId, clientId, cert,
 		return "", fmt.Errorf("registry must be specified")
 	}

-	if noPush {
-		return "", nil
-	}
-
 	// case of client secret or cert based auth
 	if clientId != "" {
 		// only setup auth when pushing or credentials are defined

 		token, publicUrl, err := getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
 		if err != nil {
+			if noPush {
+				logrus.Warnf("NO_PUSH mode: failed to fetch ACR Token: %v", err)
+				return "", nil
+			}
 			return "", errors.Wrap(err, "failed to fetch ACR Token")
 		}

 		// setup docker config for azure registry and base image docker registry
 		if err := setDockerAuth(username, token, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
+			if noPush {
+				logrus.Warnf("NO_PUSH mode: failed to create docker config: %v", err)
+				return "", nil
+			}
 			return "", errors.Wrap(err, "failed to create docker config")
 		}
 		return publicUrl, nil
 	} else {
+		if noPush {
+			return "", nil
+		}
 		return "", fmt.Errorf("managed authentication is not supported")
 	}
 }
@@ -690,6 +726,94 @@ func encodeParam(s string) string {
 	return url.QueryEscape(s)
 }

+func handlePushOnly(c *cli.Context) error {
+	// Validate inputs for push-only operation
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Setup ACR authentication
+	publicUrl, err := setupAuth(
+		c.String("tenant-id"),
+		c.String("client-id"),
+		c.String("client-cert"),
+		c.String("client-secret"),
+		c.String("subscription-id"),
+		registry,
+		c.String("base-image-username"),
+		c.String("base-image-password"),
+		c.String("base-image-registry"),
+		false, // We want to push in push-only mode
+	)
+	if err != nil {
+		return err
+	}
+
+	// Load the image from the tarball
+	logrus.Infof("Loading image from tarball: %s", sourceTarPath)
+
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Check if the Docker config directory exists (should have been created by setupAuth)
+	if _, err := os.Stat(dockerConfigPath); os.IsNotExist(err) {
+		return fmt.Errorf("Docker config directory does not exist: %v", err)
+	} else if err != nil {
+		return fmt.Errorf("error checking Docker config directory: %v", err)
+	}
+
+	// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
+	if err := os.Setenv("DOCKER_CONFIG", dockerConfigPath); err != nil {
+		return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
+	}
+
+	// Setup crane options
+	opts := []crane.Option{
+		crane.WithAuthFromKeychain(authn.DefaultKeychain),
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	// Use the registry from setupAuth if publicUrl is available, otherwise use the provided registry
+	pushRegistry := registry
+	if publicUrl != "" {
+		logrus.Infof("Using public URL for pushing: %s", publicUrl)
+		// Extract just the registry part from the full URL if needed
+		// This depends on the format of publicUrl, adjust parsing as needed
+		pushRegistry = publicUrl
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", pushRegistry, repo, tag)
+		logrus.Infof("Pushing image to: %s", dest)
+
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+
+		logrus.Infof("Successfully pushed image to %s", dest)
+	}
+
+	return nil
+}
+
 type strct struct {
 	Value []struct {
 		ID string `json:"id"`
@@ -13,7 +13,7 @@ import (
 )

 const (
-	v2RegistryURL    string = "https://index.docker.io/v2/" // v2 registry is not supported
+	v2RegistryURL string = "https://index.docker.io/v2/" // v2 registry is not supported
 )

 func TestCreateDockerConfigWithBaseRegistry(t *testing.T) {
@@ -100,22 +100,7 @@ func TestCreateDockerConfigWithBaseRegistry(t *testing.T) {
 			Password: "",
 		},
 	}, tempDir)
-	assert.NoError(t, err)
-
-	// v2 registry but without username password
-	err = config.CreateDockerConfig([]docker.RegistryCredentials{
-		{
-			Registry: registry,
-			Username: username,
-			Password: password,
-		},
-		{
-			Registry: v2RegistryURL,
-			Username: "",
-			Password: "",
-		},
-	}, tempDir)
-	assert.NoError(t, err)
+	assert.EqualError(t, err, "Username must be specified for registry: "+dockerRegistry)

 	// private base registry without username/password
 	err = config.CreateDockerConfig([]docker.RegistryCredentials{
@@ -190,7 +190,7 @@ func main() {
 		cli.StringFlag{
 			Name:   "tar-path",
 			Usage:  "Set this flag to save the image as a tarball at path",
-			EnvVar: "PLUGIN_TAR_PATH",
+			EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
 		},
 		cli.StringFlag{
 			Name:   "verbosity",
@@ -353,6 +353,11 @@ func main() {
 			Usage:  "Path to ignore during the build.",
 			EnvVar: "PLUGIN_IGNORE_PATH",
 		},
+		cli.StringSliceFlag{
+			Name:   "ignore-paths",
+			Usage:  "Path to ignore during the build.",
+			EnvVar: "PLUGIN_IGNORE_PATHS",
+		},
 		cli.IntFlag{
 			Name:   "image-fs-extract-retry",
 			Usage:  "Number of retries for extracting filesystem layers.",
@@ -363,6 +368,16 @@ func main() {
 			Usage:  "Number of retries for downloading base images.",
 			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
 		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Set this flag for the source tarball during push operations.",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Specify if the operation is push-only",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
 	}

 	if err := app.Run(os.Args); err != nil {
@@ -419,6 +434,7 @@ func run(c *cli.Context) error {
 			TarPath:                     c.String("tar-path"),
 			Verbosity:                   c.String("verbosity"),
 			Platform:                    c.String("platform"),
+			PushOnly:                    c.Bool("push-only"),
 			SkipUnusedStages:            c.Bool("skip-unused-stages"),
 			CacheDir:                    c.String("cache-dir"),
 			CacheCopyLayers:             c.Bool("cache-copy-layers"),
@@ -446,8 +462,10 @@ func run(c *cli.Context) error {
 			SkipPushPermissionCheck:     c.Bool("skip-push-permission-check"),
 			SkipTLSVerifyPull:           c.Bool("skip-tls-verify-pull"),
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
+			SourceTarPath:               c.String("source-tar-path"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),

 			ImageFSExtractRetry: c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:  c.Int("image-download-retry"),
@@ -1,6 +1,12 @@
 package main

-import "testing"
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/drone/drone-kaniko/pkg/docker"
+)

 func Test_buildRepo(t *testing.T) {
 	tests := []struct {
@@ -36,58 +42,80 @@ func Test_buildRepo(t *testing.T) {
 	}
 }

-func TestCreateDockerConfigFromGivenRegistry(t *testing.T) {
+func TestCreateDockerConfig(t *testing.T) {
+	config := docker.NewConfig()
+	tempDir, err := ioutil.TempDir("", "docker-config-test")
+	if err != nil {
+		t.Fatalf("Failed to create temporary directory: %v", err)
+	}
+	defer os.RemoveAll(tempDir)
+
 	tests := []struct {
-		name           string
-		username       string
-		password       string
-		registry       string
-		dockerUsername string
-		dockerPassword string
-		dockerRegistry string
-		wantErr        bool
+		name        string
+		credentials []docker.RegistryCredentials
+		wantErr     bool
 	}{
 		{
-			name:     "valid credentials",
-			username: "testuser",
-			password: "testpassword",
-			registry: "https://index.docker.io/v1/",
-			wantErr:  false,
+			name: "valid credentials",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+			},
+			wantErr: false,
 		},
 		{
-			name:     "v2 registry",
-			username: "testuser",
-			password: "testpassword",
-			registry: "https://index.docker.io/v2/",
-			wantErr:  false,
+			name: "v2 registry",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v2/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+			},
+			wantErr: false,
 		},
 		{
-			name:           "docker registry credentials",
-			username:       "testuser",
-			password:       "testpassword",
-			registry:       "https://index.docker.io/v1/",
-			dockerUsername: "dockeruser",
-			dockerPassword: "dockerpassword",
-			dockerRegistry: "https://docker.io",
-			wantErr:        false,
+			name: "docker registry credentials",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+				{
+					Registry: "https://docker.io",
+					Username: "dockeruser",
+					Password: "dockerpassword",
+				},
+			},
+			wantErr: false,
 		},
 		{
-			name:           "empty docker registry",
-			username:       "testuser",
-			password:       "testpassword",
-			registry:       "https://index.docker.io/v1/",
-			dockerUsername: "dockeruser",
-			dockerPassword: "",
-			dockerRegistry: "https://docker.io",
-			wantErr:        false,
+			name: "empty docker registry",
+			credentials: []docker.RegistryCredentials{
+				{
+					Registry: "https://index.docker.io/v1/",
+					Username: "testuser",
+					Password: "testpassword",
+				},
+				{
+					Registry: "https://docker.io",
+					Username: "dockeruser",
+					Password: "",
+				},
+			},
+			wantErr: true,
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := createDockerConfig(tt.username, tt.password, tt.registry, tt.dockerUsername, tt.dockerPassword, tt.dockerRegistry)
+			err := config.CreateDockerConfig(tt.credentials, tempDir)
 			if (err != nil) != tt.wantErr {
-				t.Errorf("createDockerConfig() error = %v, wantErr %v", err, tt.wantErr)
+				t.Errorf("CreateDockerConfig() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 		})
@@ -0,0 +1,33 @@
+package main
+
+import (
+	"strings"
+)
+
+// CustomStringSliceFlag is like a regular StringSlice flag but with
+// semicolon as a delimiter
+type CustomStringSliceFlag struct {
+	Value []string
+}
+
+func (f *CustomStringSliceFlag) GetValue() []string {
+	if f.Value == nil {
+		return make([]string, 0)
+	}
+	return f.Value
+}
+
+func (f *CustomStringSliceFlag) String() string {
+	if f.Value == nil {
+		return ""
+	}
+	return strings.Join(f.Value, ";")
+}
+
+func (f *CustomStringSliceFlag) Set(v string) error {
+	for _, s := range strings.Split(v, ";") {
+		s = strings.TrimSpace(s)
+		f.Value = append(f.Value, s)
+	}
+	return nil
+}
@@ -7,16 +7,19 @@ import (
 	"io/ioutil"
 	"os"
 	"strings"
+	"time"

 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
 	awsv1 "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	ecrv1 "github.com/aws/aws-sdk-go/service/ecr"
 	ecrpublicv1 "github.com/aws/aws-sdk-go/service/ecrpublic"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/aws/smithy-go"
 	"github.com/hashicorp/go-version"
 	"github.com/joho/godotenv"
@@ -27,6 +30,8 @@ import (
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
 )

 const (
@@ -35,6 +40,7 @@ const (
 	secretKeyEnv     string = "AWS_SECRET_ACCESS_KEY"
 	ecrPublicDomain  string = "public.ecr.aws"
 	kanikoVersionEnv string = "KANIKO_VERSION"
+	sessionKeyEnv    string = "AWS_SESSION_TOKEN"

 	oneDotEightVersion string = "1.8.0"
 	defaultDigestFile  string = "/kaniko/digest-file"
@@ -122,6 +128,17 @@ func main() {
 			Usage:  "build args",
 			EnvVar: "PLUGIN_BUILD_ARGS",
 		},
+		cli.GenericFlag{
+			Name:   "args-new",
+			Usage:  "build args new",
+			EnvVar: "PLUGIN_BUILD_ARGS_NEW",
+			Value:  new(CustomStringSliceFlag),
+		},
+		cli.BoolFlag{
+			Name:   "plugin-multiple-build-agrs",
+			Usage:  "plugin multiple build agrs",
+			EnvVar: "PLUGIN_MULTIPLE_BUILD_ARGS",
+		},
 		cli.StringFlag{
 			Name:   "target",
 			Usage:  "build target",
@@ -384,6 +401,26 @@ func main() {
 			Usage:  "Number of retries for downloading base images.",
 			EnvVar: "PLUGIN_IMAGE_DOWNLOAD_RETRY",
 		},
+		cli.StringFlag{
+			Name:   "oidc-token-id",
+			Usage:  "OIDC token for assuming role via web identity",
+			EnvVar: "PLUGIN_OIDC_TOKEN_ID",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH, PLUGIN_DESTINATION_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Set this flag for the source tarball during push operations.",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Specify if the operation is push-only",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
 	}

 	if err := app.Run(os.Args); err != nil {
@@ -396,8 +433,20 @@ func run(c *cli.Context) error {
 	registry := c.String("registry")
 	region := c.String("region")
 	noPush := c.Bool("no-push")
+	pushOnly := c.Bool("push-only")
 	assumeRole := c.String("assume-role")
 	externalId := c.String("external-id")
+	oidcToken := c.String("oidc-token-id")
+
+	// Validate flags
+	if noPush && pushOnly {
+		return fmt.Errorf("no-push and push-only flags cannot be used together")
+	}
+
+	// Handle push-only operation
+	if pushOnly {
+		return handlePushOnly(c)
+	}

 	// setup docker config for azure registry and base image docker registry
 	err := setDockerAuth(
@@ -411,6 +460,7 @@ func run(c *cli.Context) error {
 		externalId,
 		region,
 		noPush,
+		oidcToken,
 	)
 	if err != nil {
 		return errors.Wrap(err, "failed to create docker config")
@@ -454,6 +504,8 @@ func run(c *cli.Context) error {
 			AutoTagSuffix:               c.String("auto-tag-suffix"),
 			ExpandTag:                   c.Bool("expand-tag"),
 			Args:                        c.StringSlice("args"),
+			ArgsNew:                     c.Generic("args-new").(*CustomStringSliceFlag).GetValue(),
+			IsMultipleBuildArgs:         c.Bool("plugin-multiple-build-agrs"),
 			Target:                      c.String("target"),
 			Repo:                        fmt.Sprintf("%s/%s", c.String("registry"), c.String("repo")),
 			Mirrors:                     c.StringSlice("registry-mirrors"),
@@ -495,8 +547,12 @@ func run(c *cli.Context) error {
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:          c.Int("image-download-retry"),
+			TarPath:                     c.String("tar-path"),
+			SourceTarPath:               c.String("source-tar-path"),
+			PushOnly:                    c.Bool("push-only"),
 		},
 		Artifact: kaniko.Artifact{
 			Tags:         c.StringSlice("tags"),
@@ -518,7 +574,7 @@ func run(c *cli.Context) error {
 }

 func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, secretKey,
-	registry, assumeRole, externalId, region string, noPush bool) error {
+	registry, assumeRole, externalId, region string, noPush bool, oidcToken string) error {
 	dockerConfig := docker.NewConfig()
 	credentials := []docker.RegistryCredentials{}
 	// set docker credentials for base image registry
@@ -531,7 +587,24 @@ func setDockerAuth(dockerRegistry, dockerUsername, dockerPassword, accessKey, se
 		credentials = append(credentials, pullFromRegistryCreds)
 	}

-	if assumeRole != "" {
+	if assumeRole != "" && oidcToken != "" {
+		oidcAccessKey, oidcSecretKey, oidcSessionKey, err := getOidcCreds(oidcToken, assumeRole)
+		if err != nil {
+			return err
+		}
+
+		_ = os.Setenv(accessKeyEnv, oidcAccessKey)
+		_ = os.Setenv(secretKeyEnv, oidcSecretKey)
+		_ = os.Setenv(sessionKeyEnv, oidcSessionKey)
+
+		// kaniko-executor >=1.8.0 does not require additional cred helper logic for ECR,
+		// as it discovers ECR repositories automatically and acts accordingly.
+		if isKanikoVersionBelowOneDotEight(os.Getenv(kanikoVersionEnv)) {
+			dockerConfig.SetCredHelper(ecrPublicDomain, "ecr-login")
+			dockerConfig.SetCredHelper(registry, "ecr-login")
+		}
+
+	} else if assumeRole != "" {
 		var err error
 		username, password, registry, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
 		if err != nil {
@@ -771,3 +844,164 @@ func isKanikoVersionBelowOneDotEight(v string) bool {

 	return currVer.LessThan(oneEightVer)
 }
+
+func getOidcCreds(oidcToken, assumeRole string) (string, string, string, error) {
+	// Create a new session
+	sess, err := session.NewSession()
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to create AWS session: %w", err)
+	}
+
+	// Create a new STS client
+	svc := sts.New(sess)
+
+	// Prepare the input parameters for the STS call
+	duration := int64(time.Hour / time.Second)
+	input := &sts.AssumeRoleWithWebIdentityInput{
+		RoleArn:          aws.String(assumeRole),
+		RoleSessionName:  aws.String("kaniko-ecr-oidc"),
+		WebIdentityToken: aws.String(oidcToken),
+		DurationSeconds:  aws.Int64(duration),
+	}
+
+	// Call the AssumeRoleWithWebIdentity function
+	result, err := svc.AssumeRoleWithWebIdentity(input)
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to assume role with web identity: %w", err)
+	}
+
+	// Check if credentials exist in the result
+	if result.Credentials == nil {
+		return "", "", "", errors.New("no credentials returned by AssumeRoleWithWebIdentity")
+	}
+
+	// Return the credentials
+	return *result.Credentials.AccessKeyId, *result.Credentials.SecretAccessKey, *result.Credentials.SessionToken, nil
+}
+
+func createECRSession(region, accessKey, secretKey, sessionToken string) *ecrv1.ECR {
+	sess := session.Must(session.NewSession(&awsv1.Config{
+		Region: awsv1.String(region),
+		Credentials: credentials.NewStaticCredentials(
+			accessKey,
+			secretKey,
+			sessionToken,
+		),
+	}))
+	return ecrv1.New(sess)
+}
+
+func getECRCredentials(region, registry, assumeRole, externalId, accessKey, secretKey, oidcToken string) (string, string, error) {
+	if assumeRole != "" && oidcToken != "" {
+		// For OIDC auth with assume role
+		awsAccessKey, awsSecretKey, awsSessionToken, err := getOidcCreds(oidcToken, assumeRole)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get OIDC credentials: %w", err)
+		}
+
+		// Create ECR session and get auth info
+		svc := createECRSession(region, awsAccessKey, awsSecretKey, awsSessionToken)
+		username, password, _, err := getAuthInfo(svc)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	} else if assumeRole != "" {
+		// For assume role auth
+		username, password, _, err := getAssumeRoleCreds(region, assumeRole, externalId, "")
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	} else if accessKey != "" && secretKey != "" {
+		// For direct credentials
+		sess := session.Must(session.NewSession(&awsv1.Config{
+			Region: awsv1.String(region),
+			Credentials: credentials.NewStaticCredentials(
+				accessKey,
+				secretKey,
+				"",
+			),
+		}))
+		svc := ecrv1.New(sess)
+
+		username, password, _, err := getAuthInfo(svc)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	} else {
+		// For IAM role auth (default credentials)
+		sess := session.Must(session.NewSession(&awsv1.Config{
+			Region: awsv1.String(region),
+		}))
+		svc := ecrv1.New(sess)
+
+		username, password, _, err := getAuthInfo(svc)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get ECR credentials: %w", err)
+		}
+		return username, password, nil
+	}
+}
+
+func handlePushOnly(c *cli.Context) error {
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Load the image from the tarball
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Get ECR credentials using the common function
+	username, password, err := getECRCredentials(
+		c.String("region"),
+		registry,
+		c.String("assume-role"),
+		c.String("external-id"),
+		c.String("access-key"),
+		c.String("secret-key"),
+		c.String("oidc-token-id"),
+	)
+	if err != nil {
+		return err
+	}
+
+	// Setup crane auth
+	opts := []crane.Option{
+		crane.WithAuth(&authn.Basic{
+			Username: username,
+			Password: password,
+		}),
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+		fmt.Printf("Successfully pushed image to %s\n", dest)
+	}
+
+	return nil
+}
@@ -1,9 +1,12 @@
 package main

 import (
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"

 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
@@ -13,13 +16,15 @@ import (
 	kaniko "github.com/drone/drone-kaniko"
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/docker"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/crane"
 )

 const (
 	dockerConfigPath string = "/kaniko/.docker"
 	// GAR JSON key file path
-	garKeyPath       string = "/kaniko/config.json"
-	garEnvVariable   string = "GOOGLE_APPLICATION_CREDENTIALS"
+	garKeyPath     string = "/kaniko/config.json"
+	garEnvVariable string = "GOOGLE_APPLICATION_CREDENTIALS"

 	defaultDigestFile string = "/kaniko/digest-file"
 )
@@ -166,6 +171,21 @@ func main() {
 			Usage:  "Set this flag if you only want to build the image, without pushing to a registry",
 			EnvVar: "PLUGIN_NO_PUSH",
 		},
+		cli.BoolFlag{
+			Name:   "push-only",
+			Usage:  "Set this flag if you only want to push a pre-built image from a tarball",
+			EnvVar: "PLUGIN_PUSH_ONLY",
+		},
+		cli.StringFlag{
+			Name:   "source-tar-path",
+			Usage:  "Path to the local tarball to be pushed when push-only is set",
+			EnvVar: "PLUGIN_SOURCE_TAR_PATH",
+		},
+		cli.StringFlag{
+			Name:   "tar-path",
+			Usage:  "Set this flag to save the image as a tarball at path",
+			EnvVar: "PLUGIN_TAR_PATH,PLUGIN_DESTINATION_TAR_PATH",
+		},
 		cli.StringFlag{
 			Name:   "verbosity",
 			Usage:  "Set this flag as --verbosity=<panic|fatal|error|warn|info|debug|trace> to set the logging level for kaniko. Defaults to info.",
@@ -340,6 +360,11 @@ func main() {
 }

 func run(c *cli.Context) error {
+	// Check if this is a push-only operation
+	if c.Bool("push-only") {
+		return handlePushOnly(c)
+	}
+
 	noPush := c.Bool("no-push")
 	jsonKey := c.String("json-key")
 	// JSON key may not be set in the following cases:
@@ -351,7 +376,7 @@ func run(c *cli.Context) error {
 		}

 		// setup docker config only when base image registry is specified
-		if c.String("base-image-registry") != ""{
+		if c.String("base-image-registry") != "" {
 			if err := setDockerAuth(
 				c.String("base-image-username"),
 				c.String("base-image-password"),
@@ -383,6 +408,9 @@ func run(c *cli.Context) error {
 			CacheTTL:                    c.Int("cache-ttl"),
 			DigestFile:                  defaultDigestFile,
 			NoPush:                      noPush,
+			PushOnly:                    c.Bool("push-only"),
+			SourceTarPath:               c.String("source-tar-path"),
+			TarPath:                     c.String("tar-path"),
 			Verbosity:                   c.String("verbosity"),
 			Platform:                    c.String("platform"),
 			SkipUnusedStages:            c.Bool("skip-unused-stages"),
@@ -414,6 +442,7 @@ func run(c *cli.Context) error {
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
@@ -436,7 +465,7 @@ func run(c *cli.Context) error {
 	return plugin.Exec()
 }

-func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) (error) {
+func setDockerAuth(dockerUsername, dockerPassword, dockerRegistry string) error {
 	dockerConfig := docker.NewConfig()
 	dockerRegistryCreds := docker.RegistryCredentials{
 		Registry: dockerRegistry,
@@ -460,3 +489,113 @@ func setupGARAuth(jsonKey string) error {
 	}
 	return nil
 }
+
+func handlePushOnly(c *cli.Context) error {
+	// Validate inputs for push-only operation
+	sourceTarPath := c.String("source-tar-path")
+	if sourceTarPath == "" {
+		return fmt.Errorf("source_tar_path is required when push_only is set")
+	}
+
+	if _, err := os.Stat(sourceTarPath); os.IsNotExist(err) {
+		return fmt.Errorf("image tarball does not exist at path: %s", sourceTarPath)
+	}
+
+	repo := c.String("repo")
+	registry := c.String("registry")
+	if repo == "" || registry == "" {
+		return fmt.Errorf("repository and registry must be specified for push-only operation")
+	}
+
+	// Authentication options for crane
+	var opts []crane.Option
+
+	// Setup GAR authentication
+	jsonKey := c.String("json-key")
+	if jsonKey != "" {
+		if err := setupGARAuth(jsonKey); err != nil {
+			return err
+		}
+
+		logrus.Info("Setting up authentication for GAR")
+
+		// Create Docker config directory if it doesn't exist
+		dockerConfigDir := "/kaniko/.docker"
+		if err := os.MkdirAll(dockerConfigDir, 0755); err != nil {
+			return fmt.Errorf("failed to create Docker config directory: %v", err)
+		}
+
+		// Generate a Docker config with GAR auth
+		type DockerAuth struct {
+			Username string `json:"username"`
+			Password string `json:"password"`
+			Auth     string `json:"auth"`
+		}
+
+		type DockerConfig struct {
+			Auths map[string]DockerAuth `json:"auths"`
+		}
+
+		// Create proper Auth field (base64 encoded username:password)
+		username := "_json_key"
+		authString := base64.StdEncoding.EncodeToString([]byte(username + ":" + jsonKey))
+
+		// Use _json_key as username and the key content as password for GAR
+		config := DockerConfig{
+			Auths: map[string]DockerAuth{
+				registry: {
+					Username: username,
+					Password: jsonKey,
+					Auth:     authString,
+				},
+			},
+		}
+
+		// Write the Docker config
+		configBytes, err := json.Marshal(config)
+		if err != nil {
+			return fmt.Errorf("failed to marshal Docker config: %v", err)
+		}
+
+		dockerConfigPath := filepath.Join(dockerConfigDir, "config.json")
+		if err := ioutil.WriteFile(dockerConfigPath, configBytes, 0644); err != nil {
+			return fmt.Errorf("failed to write Docker config: %v", err)
+		}
+
+		// Explicitly set DOCKER_CONFIG environment variable to ensure crane finds the config
+		if err := os.Setenv("DOCKER_CONFIG", dockerConfigDir); err != nil {
+			return fmt.Errorf("failed to set DOCKER_CONFIG environment variable: %v", err)
+		}
+
+		// Set up crane to use basic auth with docker config
+		opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
+	} else {
+		logrus.Warn("No JSON key provided, authentication may fail if not running with workload identity")
+	}
+
+	// Load the image from the tarball
+	logrus.Infof("Loading image from tarball: %s", sourceTarPath)
+	img, err := crane.Load(sourceTarPath)
+	if err != nil {
+		return fmt.Errorf("failed to load image from tarball: %v", err)
+	}
+
+	// Push for each tag
+	tags := c.StringSlice("tags")
+	if len(tags) == 0 {
+		tags = []string{"latest"}
+	}
+
+	for _, tag := range tags {
+		dest := fmt.Sprintf("%s/%s:%s", registry, repo, tag)
+		logrus.Infof("Pushing image to: %s", dest)
+
+		if err := crane.Push(img, dest, opts...); err != nil {
+			return fmt.Errorf("failed to push image to %s: %v", dest, err)
+		}
+
+		logrus.Infof("Successfully pushed image to %s", dest)
+	}
+
+	return nil
+}
@@ -416,6 +416,7 @@ func run(c *cli.Context) error {
 			SkipTLSVerifyRegistry:       c.Bool("skip-tls-verify-registry"),
 			UseNewRun:                   c.Bool("use-new-run"),
 			IgnorePath:                  c.String("ignore-path"),
+			IgnorePaths:                 c.StringSlice("ignore-paths"),
 			ImageFSExtractRetry:         c.Int("image-fs-extract-retry"),
 			ImageDownloadRetry:          c.Int("image-download-retry"),
 		},
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64

 ENV HOME /root
 ENV USER root

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/arm64/kaniko-acr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-acr"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64

 ENV HOME /root
 ENV USER root

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/arm64/kaniko-docker /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-docker"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64

 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0

 ADD release/linux/arm64/kaniko-ecr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-ecr"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-amd64

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0
 ADD release/linux/amd64/kaniko-gar /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gar"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM harnesscommunity/kaniko-executor:1.25.0-linux-arm64

 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.25.0

 ADD release/linux/arm64/kaniko-gar /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gar"]
@@ -1,5 +1,5 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2
 ADD release/linux/amd64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]
@@ -1,8 +1,8 @@
-FROM gcr.io/kaniko-project/executor:v1.20.1
+FROM gcr.io/kaniko-project/executor:v1.23.2

 ENV HOME /root
 ENV USER root
-ENV KANIKO_VERSION=1.20.1
+ENV KANIKO_VERSION=1.23.2

 ADD release/linux/arm64/kaniko-gcr /kaniko/
 ENTRYPOINT ["/kaniko/kaniko-gcr"]
@@ -0,0 +1,8 @@
+This document explains on how to install certain git hooks globally for all repositories in your machine.
+
+Step 1: git clone https://github.com/drone/drone-kaniko.git
+Step 2: cd git-hooks
+Step 3: Run install.sh
+
+"install.sh" script will create .git_template in the user directory and will put the git hook and its dependent scripts in it. Along with the .git_template folder, it will add 2 sections "init" and "hooks boolean" in the .gitconfig file in the same user's root directory.
+After running "install.sh" if you create/clone a new git repository then all the hooks will get install automatically for the git repository. In case of existing git repository copy the contents of ~/.git_template/hooks into the .git/hooks directory of existing git repository.
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS_PRE_COMMIT=s$(git config --bool hook.pre-commit.gitleak)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks protect --staged -v --exit-code=100
+STATUS=$?
+if [ $STATUS = 100  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+else
+    exit 0
+fi
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+#Helper script to be used as a pre-commit hook.
+
+echo "This hook checks for any secrets getting pushed as part of commit. If you feel that scan is false positive. \
+Then add the exclusion in .gitleaksignore file. For more info visit: https://github.com/zricethezav/gitleaks"
+
+GIT_LEAKS=$(git config --bool hook.pre-push.gitleaks)
+
+echo "INFO: Scanning Commits information for any GIT LEAKS"
+gitleaks detect -s ./ --log-level=debug --log-opts=-1 -v
+STATUS=$?
+if [ $STATUS != 0  ]; then
+    echo "WARNING: GIT LEAKS has detected sensitive information in your changes. Please remove them or add them (IF NON-SENSITIVE) in .gitleaksignore file."
+    exit $STATUS
+else
+    exit 0
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks-pre-commit.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+if [ "`git config $GIT_LEAKS_PRE_COMMIT`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS_PRE_COMMIT '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS_PRE_COMMIT true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+GL_SCRIPT_PATH="$HOME/.git_template/hooks/git-leaks.sh"
+
+pushd `dirname $0` > /dev/null && cd ../.. && BASEDIR=$(pwd -L) && popd > /dev/null
+BASENAME=`basename $0`
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+    against=HEAD
+else
+    #Initial commit : diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+GIT_LEAKS=hook.pre-push.gitleaks
+if [ "`git config $GIT_LEAKS`" == "false" ]
+then
+    echo -e '\033[0;31m' checking git leaks is disabled - to enable: '\033[0;37m'git config --unset $GIT_LEAKS '\033[0m'
+    echo -e '\033[0;34m' checking git leaks  ... to enable: '\033[0;37m'git config --add $GIT_LEAKS true '\033[0m'
+else
+    echo -e '\033[0;34m' checking for git leaks...
+    [ -f "${GL_SCRIPT_PATH}" ] && . ${GL_SCRIPT_PATH} || echo "ERROR: Hook Script Not Found..." && exit 404
+fi
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+#Function to check if package is installed or not
+#args: $1: Name of the Package
+function check_package_installed() {
+  LOCAL_PACKAGE_NAME=$1
+  echo "Checking if $LOCAL_PACKAGE_NAME is installed or not..."
+  brew list $LOCAL_PACKAGE_NAME
+  if [ "$?" -eq 1 ];then
+    echo "Installing $LOCAL_PACKAGE_NAME package..."
+    brew install $LOCAL_PACKAGE_NAME
+  fi
+}
+
+function create_git_template() {
+    cd $BASEDIR
+    mkdir -p ~/.git_template/hooks
+    git config --global init.templatedir ${GIT_TEMPLATE}
+    git config --global --add $GIT_LEAKS true
+    git config --global --add $GIT_LEAKS_PRE_COMMIT true
+    find hooks/ -type f -exec cp "{}" ~/.git_template/hooks \;
+    #cp -f hooks/* ~/.git_template/hooks
+    cat ~/.gitconfig
+}
+
+GIT_TEMPLATE="~/.git_template"
+GIT_LEAKS=hook.pre-push.gitleaks
+GIT_LEAKS_PRE_COMMIT=hook.pre-commit.gitleaks
+
+pushd `dirname $0` && BASEDIR=$(pwd -L) && popd
+
+echo This script will install hooks that run scripts that could be updated without notice.
+
+while true; do
+    read -p "Do you wish to install these hooks?" yn
+    case $yn in
+        [Yy]* ) check_package_installed "gitleaks";
+                break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done
+
+create_git_template
@@ -10,14 +10,15 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.8
 	github.com/aws/smithy-go v1.12.0
 	github.com/coreos/go-semver v0.3.0
-	github.com/google/go-cmp v0.5.9
+	github.com/google/go-cmp v0.6.0
+	github.com/google/go-containerregistry v0.20.3
 	github.com/hashicorp/go-version v1.6.0
 	github.com/joho/godotenv v1.4.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.8.4
-	github.com/urfave/cli v1.22.9
-	golang.org/x/mod v0.17.0
+	github.com/stretchr/testify v1.9.0
+	github.com/urfave/cli v1.22.15
+	golang.org/x/mod v0.22.0
 )

 require (
@@ -31,20 +32,32 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.12 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/cli v27.5.0+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
-	golang.org/x/net v0.0.0-20220725212005-46097bf591d3 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	github.com/vbatts/tar-split v0.11.6 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

-go 1.22.0
+go 1.23.0
+
+toolchain go1.23.8
@@ -6,7 +6,7 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 h1:jp0dGvZ7ZK0mgqnTSClMxa5
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3 h1:TsFCaaF5tR4XN8b4zLVl/J4qMb0nf80Q4CXcpXDNJDY=
 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.3/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/aws/aws-sdk-go v1.44.52 h1:kHLbYJj59C7VrsLM4gm7pxsvaNIvhXCCIDYEFFoQ+VE=
 github.com/aws/aws-sdk-go v1.44.52/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v1.16.7 h1:zfBwXus3u14OszRxGcqCDS4MfMCv10e8SMJ2r8Xm0Ns=
@@ -35,24 +35,34 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.9 h1:yOfILxyjmtr2ubRkRJldlHDFBhf5
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.9/go.mod h1:O1IvkYxr+39hRf960Us6j0x1P8pDqhTX+oXM5kQNl/Y=
 github.com/aws/smithy-go v1.12.0 h1:gXpeZel/jPoWQ7OEmLIgCUnhkFftqNfwWUwAHSlp1v0=
 github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
+github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM=
+github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
+github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI=
+github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -64,9 +74,17 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
 github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
@@ -74,42 +92,52 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/urfave/cli v1.22.9 h1:cv3/KhXGBGjEXLC4bH0sLuJ9BewaAbpk5oyMOveu4pw=
-github.com/urfave/cli v1.22.9/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
+github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
+github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=
+github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220725212005-46097bf591d3 h1:2yWTtPWWRcISTw3/o+s/Y4UOMnQL71DWyToOANFusCg=
-golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY5RMuhpJ3cNnI0XpyFJD1iQRSM=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
@@ -5,77 +5,86 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"

+	v1 "github.com/google/go-containerregistry/pkg/v1"
+
 	"github.com/drone/drone-kaniko/pkg/artifact"
 	"github.com/drone/drone-kaniko/pkg/output"
 	"github.com/drone/drone-kaniko/pkg/tagger"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"golang.org/x/mod/semver"
 )

 type (
 	// Build defines Docker build parameters.
 	Build struct {
-		DroneCommitRef   string   // Drone git commit reference
-		DroneRepoBranch  string   // Drone repo branch
-		Dockerfile       string   // Docker build Dockerfile
-		Context          string   // Docker build context
-		Tags             []string // Docker build tags
-		AutoTag          bool     // Set this to auto detect tags from git commits and semver-tagged labels
-		AutoTagSuffix    string   // Suffix to append to the auto detect tags
-		ExpandTag        bool     // Set this to expand the `Tags` into semver-tagged labels
-		Args             []string // Docker build args
-		Target           string   // Docker build target
-		Repo             string   // Docker build repository
-		Mirrors          []string // Docker repository mirrors
-		Labels           []string // Label map
-		SkipTlsVerify    bool     // Docker skip tls certificate verify for registry
-		SnapshotMode     string   // Kaniko snapshot mode
-		EnableCache      bool     // Whether to enable kaniko cache
-		CacheRepo        string   // Remote repository that will be used to store cached layers
-		CacheTTL         int      // Cache timeout in hours
-		DigestFile       string   // Digest file location
-		NoPush           bool     // Set this flag if you only want to build the image, without pushing to a registry
-		Verbosity        string   // Log level
-		Platform         string   // Allows to build with another default platform than the host, similarly to docker build --platform
-		SkipUnusedStages bool     // Build only used stages
-		TarPath          string   // Set this flag to save the image as a tarball at path
+		Args                []string // Docker build args
+		ArgsNew             []string // docker build args with comma seperated values
+		AutoTag             bool     // Set this to auto detect tags from git commits and semver-tagged labels
+		AutoTagSuffix       string   // Suffix to append to the auto detect tags
+		CacheRepo           string   // Remote repository that will be used to store cached layers
+		CacheTTL            int      // Cache timeout in hours
+		Context             string   // Docker build context
+		DigestFile          string   // Digest file location
+		Dockerfile          string   // Docker build Dockerfile
+		DroneCommitRef      string   // Drone git commit reference
+		DroneRepoBranch     string   // Drone repo branch
+		EnableCache         bool     // Whether to enable kaniko cache
+		ExpandTag           bool     // Set this to expand the `Tags` into semver-tagged labels
+		IsMultipleBuildArgs bool     // env variable for fallback for docker build args
+		Labels              []string // Label map
+		Mirrors             []string // Docker repository mirrors
+		NoPush              bool     // Set this flag if you only want to build the image, without pushing to a registry
+		Platform            string   // Allows to build with another default platform than the host, similarly to docker build --platform
+		PushOnly            bool     // Specify if the operation is push-only.
+		Repo                string   // Docker build repository
+		SkipTlsVerify       bool     // Docker skip tls certificate verify for registry
+		SkipUnusedStages    bool     // Build only used stages
+		SnapshotMode        string   // Kaniko snapshot mode
+		SourceTarPath       string   // Path to the local tarball to be pushed
+		Tags                []string // Docker build tags
+		TarPath             string   // Set this flag to save the image as a tarball at path
+		Target              string   // Docker build target
+		Verbosity           string   // Log level

-		Cache                       bool   // Enable or disable caching during the build process.
-		CacheDir                    string // Directory to store cached layers.
-		CacheCopyLayers             bool   // Enable or disable copying layers from the cache.
-		CacheRunLayers              bool   // Enable or disable running layers from the cache.
-		Cleanup                     bool   // Enable or disable cleanup of temporary files.
-		CompressedCaching           *bool  // Enable or disable compressed caching.
-		ContextSubPath              string // Sub-path within the context to build.
-		CustomPlatform              string // Platform to use for building.
-		Force                       bool   // Force building the image even if it already exists.
-		Git                         bool   // Branch to clone if build context is a git repository .
-		ImageNameWithDigestFile     string // Write image name with digest to a file.
-		ImageNameTagWithDigestFile  string // Write image name with tag and digest to a file.
-		Insecure                    bool   // Allow connecting to registries without TLS.
-		InsecurePull                bool   // Allow insecure pulls from the registry.
-		InsecureRegistry            string // Use plain HTTP for registry communication.
-		Label                       string // Add metadata to an image.
-		LogFormat                   string // Set the log format for build output.
-		LogTimestamp                bool   // Show timestamps in build output.
-		OCILayoutPath               string // Directory to store OCI layout.
-		PushRetry                   int    // Number of times to retry pushing an image.
-		RegistryCertificate         string // Path to a file containing a registry certificate.
-		RegistryClientCert          string // Path to a file containing a registry client certificate.
-		RegistryMirror              string // Mirror for registry pulls.
-		SkipDefaultRegistryFallback bool   // Skip Docker Hub and default registry fallback.
-		Reproducible                bool   // Create a reproducible image.
-		SingleSnapshot              bool   // Only create a single snapshot of the image.
-		SkipTLSVerify               bool   // Skip TLS verification when connecting to the registry.
-		SkipPushPermissionCheck     bool   // Skip permission check when pushing.
-		SkipTLSVerifyPull           bool   // Skip TLS verification when pulling.
-		SkipTLSVerifyRegistry       bool   // Skip TLS verification when connecting to a registry.
-		UseNewRun                   bool   // Use the new container runtime (`runc`) for builds.
-		IgnoreVarRun                *bool  // Ignore `/var/run` when copying from the context.
-		IgnorePath                  string // Ignore files matching the specified path pattern.
-		ImageFSExtractRetry         int    // Number of times to retry extracting the image filesystem.
-		ImageDownloadRetry          int    // Number of times to retry downloading layers.
+		Cache                       bool     // Enable or disable caching during the build process.
+		CacheDir                    string   // Directory to store cached layers.
+		CacheCopyLayers             bool     // Enable or disable copying layers from the cache.
+		CacheRunLayers              bool     // Enable or disable running layers from the cache.
+		Cleanup                     bool     // Enable or disable cleanup of temporary files.
+		CompressedCaching           *bool    // Enable or disable compressed caching.
+		ContextSubPath              string   // Sub-path within the context to build.
+		CustomPlatform              string   // Platform to use for building.
+		Force                       bool     // Force building the image even if it already exists.
+		Git                         bool     // Branch to clone if build context is a git repository .
+		ImageNameWithDigestFile     string   // Write image name with digest to a file.
+		ImageNameTagWithDigestFile  string   // Write image name with tag and digest to a file.
+		Insecure                    bool     // Allow connecting to registries without TLS.
+		InsecurePull                bool     // Allow insecure pulls from the registry.
+		InsecureRegistry            string   // Use plain HTTP for registry communication.
+		Label                       string   // Add metadata to an image.
+		LogFormat                   string   // Set the log format for build output.
+		LogTimestamp                bool     // Show timestamps in build output.
+		OCILayoutPath               string   // Directory to store OCI layout.
+		PushRetry                   int      // Number of times to retry pushing an image.
+		RegistryCertificate         string   // Path to a file containing a registry certificate.
+		RegistryClientCert          string   // Path to a file containing a registry client certificate.
+		RegistryMirror              string   // Mirror for registry pulls.
+		SkipDefaultRegistryFallback bool     // Skip Docker Hub and default registry fallback.
+		Reproducible                bool     // Create a reproducible image.
+		SingleSnapshot              bool     // Only create a single snapshot of the image.
+		SkipTLSVerify               bool     // Skip TLS verification when connecting to the registry.
+		SkipPushPermissionCheck     bool     // Skip permission check when pushing.
+		SkipTLSVerifyPull           bool     // Skip TLS verification when pulling.
+		SkipTLSVerifyRegistry       bool     // Skip TLS verification when connecting to a registry.
+		UseNewRun                   bool     // Use the new container runtime (`runc`) for builds.
+		IgnoreVarRun                *bool    // Ignore `/var/run` when copying from the context.
+		IgnorePath                  string   // Ignore files matching the specified path pattern.
+		IgnorePaths                 []string // Ignore files matching the specified path pattern.
+		ImageFSExtractRetry         int      // Number of times to retry extracting the image filesystem.
+		ImageDownloadRetry          int      // Number of times to retry downloading layers.
 	}

 	// Artifact defines content of artifact file
@@ -97,6 +106,10 @@ type (
 		Build    Build    // Docker build configuration
 		Artifact Artifact // Artifact file content
 		Output   Output   // Output file content
+
+		// parameters for UTs to mock crane functionality
+		LoadImageFromTarball func(string) (v1.Image, error)
+		PushImageToRegistry  func(v1.Image, string) error
 	}
 )

@@ -167,10 +180,53 @@ func (b Build) AutoTags() (tags []string, err error) {

 // Exec executes the plugin step
 func (p Plugin) Exec() error {
+
+	if p.Build.NoPush && p.Build.PushOnly {
+		return fmt.Errorf("inputs no-push and push-only cannot be used together. please define only one")
+	}
+
 	if !p.Build.NoPush && p.Build.Repo == "" {
 		return fmt.Errorf("repository name to publish image must be specified")
 	}

+	if p.Build.PushOnly {
+		// When push-only is set, source_tar_path MUST be provided
+		if p.Build.SourceTarPath == "" {
+			return fmt.Errorf("source_tar_path is required when push_only is set. please provide a valid tarball path")
+		}
+
+		if _, err := os.Stat(p.Build.SourceTarPath); os.IsNotExist(err) {
+			return fmt.Errorf("image tarball does not exist at path: %s", p.Build.SourceTarPath)
+		}
+
+		if p.Build.Repo == "" {
+			return fmt.Errorf("missing required destination repository for push-only operation")
+		}
+
+		// Load the image from the tarball
+		img, err := crane.Load(p.Build.SourceTarPath)
+		if err != nil {
+			return fmt.Errorf("failed to load image from tarball: %v", err)
+		}
+
+		// If no tags are specified, use 'latest'
+		tags := p.Build.Tags
+
+		for _, tag := range tags {
+			dest := fmt.Sprintf("%s:%s", p.Build.Repo, tag)
+
+			// Push the image to the destination
+			err := crane.Push(img, dest)
+			if err != nil {
+				return fmt.Errorf("failed to push image from tarball [%s] to destination [%s]: %v", p.Build.SourceTarPath, dest, err)
+			}
+
+			fmt.Printf("Successfully pushed image - '%s'\n to %s\n", dest, p.Build.Repo)
+		}
+
+		return nil
+	}
+
 	if _, err := os.Stat(p.Build.Dockerfile); os.IsNotExist(err) {
 		return fmt.Errorf("dockerfile does not exist at path: %s", p.Build.Dockerfile)
 	}
@@ -202,8 +258,14 @@ func (p Plugin) Exec() error {
 	}

 	// Set the build arguments
-	for _, arg := range p.Build.Args {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--build-arg=%s", arg))
+	if p.Build.IsMultipleBuildArgs {
+		for _, arg := range p.Build.ArgsNew {
+			cmdArgs = append(cmdArgs, "--build-arg", arg)
+		}
+	} else {
+		for _, arg := range p.Build.Args {
+			cmdArgs = append(cmdArgs, "--build-arg", arg)
+		}
 	}
 	// Set the labels
 	for _, label := range p.Build.Labels {
@@ -222,7 +284,7 @@ func (p Plugin) Exec() error {
 	}

 	if p.Build.SnapshotMode != "" {
-		cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshotMode=%s", p.Build.SnapshotMode))
+		cmdArgs = append(cmdArgs, fmt.Sprintf("--snapshot-mode=%s", p.Build.SnapshotMode))
 	}

 	if p.Build.EnableCache {
@@ -258,6 +320,12 @@ func (p Plugin) Exec() error {
 	}

 	if p.Build.TarPath != "" {
+		tarDir := filepath.Dir(p.Build.TarPath)
+		if _, err := os.Stat(tarDir); os.IsNotExist(err) {
+			if mkdirErr := os.MkdirAll(tarDir, 0755); mkdirErr != nil {
+				return fmt.Errorf("failed to create directory for tar path %s: %v", tarDir, mkdirErr)
+			}
+		}
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--tar-path=%s", p.Build.TarPath))
 	}

@@ -381,6 +449,15 @@ func (p Plugin) Exec() error {
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", p.Build.IgnorePath))
 	}

+	if p.Build.IgnorePaths != nil {
+		for _, path := range p.Build.IgnorePaths {
+			trimmed := strings.TrimSpace(path)
+			if trimmed != "" {
+				cmdArgs = append(cmdArgs, fmt.Sprintf("--ignore-path=%s", trimmed))
+			}
+		}
+	}
+
 	if p.Build.ImageFSExtractRetry != 0 {
 		cmdArgs = append(cmdArgs, fmt.Sprintf("--image-fs-extract-retry=%d", p.Build.ImageFSExtractRetry))
 	}
@@ -406,15 +483,27 @@ func (p Plugin) Exec() error {
 		}
 	}

-	if p.Output.OutputFile != "" {
-		if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile)); err != nil {
-			fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
-		}
+	p.Output.OutputFile = os.Getenv("DRONE_OUTPUT")
+	var tarPath string
+	if p.Build.TarPath != "" {
+		tarPath = getTarPath(p.Build.TarPath)
+	}
+	if err = output.WritePluginOutputFile(p.Output.OutputFile, getDigest(p.Build.DigestFile), tarPath); err != nil {
+		fmt.Fprintf(os.Stderr, "failed to write plugin output file at path: %s with error: %s\n", p.Output.OutputFile, err)
 	}

 	return nil
 }

+func getTarPath(tarPath string) string {
+	tarDir := filepath.Dir(tarPath)
+	if _, err := os.Stat(tarDir); err != nil && os.IsNotExist(err) {
+		fmt.Fprintf(os.Stderr, "Warning: tar path does not exist: %s\n", tarPath)
+		return ""
+	}
+	return tarPath
+}
+
 func getDigest(digestFile string) string {
 	content, err := ioutil.ReadFile(digestFile)
 	if err != nil {
@@ -1,6 +1,10 @@
 package kaniko

 import (
+	"archive/tar"
+	"fmt"
+	"os"
+	"path/filepath"
 	"testing"

 	"github.com/google/go-cmp/cmp"
@@ -148,3 +152,303 @@ func TestBuild_AutoTags(t *testing.T) {
 		}
 	})
 }
+
+func TestTarPathValidation(t *testing.T) {
+	tests := []struct {
+		name          string
+		tarPath       string
+		setup         func(string) error
+		cleanup       func(string) error
+		expectSuccess bool
+		privileged    bool
+	}{
+		{
+			name:    "valid_path_privileged",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    true,
+		},
+		{
+			name:    "valid_path_unprivileged",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    false,
+		},
+		{
+			name:          "empty_path",
+			tarPath:       "",
+			setup:         func(path string) error { return nil },
+			cleanup:       func(path string) error { return nil },
+			expectSuccess: false,
+			privileged:    false,
+		},
+		{
+			name:    "relative_path_dots",
+			tarPath: "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-image-tar")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectSuccess: true,
+			privileged:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Skip privileged tests if not running as root
+			if tt.privileged && os.Getuid() != 0 {
+				t.Skip("Skipping privileged test as not running as root")
+			}
+
+			if err := tt.setup(tt.tarPath); err != nil {
+				t.Fatalf("Setup failed: %v", err)
+			}
+			defer tt.cleanup(tt.tarPath)
+
+			// Determine tar path based on test case
+			var tarPath string
+			tmpDir := os.Getenv("DRONE_WORKSPACE")
+			switch tt.name {
+			case "valid_path_privileged", "valid_path_unprivileged":
+				tarPath = filepath.Join(tmpDir, "test", "image.tar")
+			case "invalid_path_no_permissions":
+				tarPath = "/test/image.tar"
+			case "relative_path_dots":
+				tarPath = filepath.Join("..", "test", "image.tar")
+			default:
+				tarPath = tt.tarPath
+			}
+
+			p := Plugin{
+				Build: Build{
+					TarPath: tarPath,
+				},
+			}
+
+			tarDir := filepath.Dir(p.Build.TarPath)
+			err := os.MkdirAll(tarDir, 0755)
+			if tt.expectSuccess {
+				if err != nil {
+					t.Errorf("Expected directory creation to succeed, got error: %v", err)
+				}
+				if _, err := os.Stat(tarDir); err != nil {
+					t.Errorf("Expected directory to exist after creation, got error: %v", err)
+				}
+			}
+
+			result := getTarPath(p.Build.TarPath)
+			if tt.expectSuccess && result == "" {
+				t.Error("Expected non-empty tar path, got empty string")
+			}
+			if !tt.expectSuccess && result != "" {
+				t.Error("Expected empty tar path, got non-empty string")
+			}
+		})
+	}
+}
+
+func TestSourceTarballPush(t *testing.T) {
+	tests := []struct {
+		name          string
+		sourceTarPath string
+		repo          string
+		autoTag       bool
+		tags          []string
+		commitRef     string
+		repoBranch    string
+		expectedError bool
+		expectedTags  []string
+		mockLoadErr   error
+		mockPushErr   error
+	}{
+		{
+			name:          "empty_repo_fails",
+			sourceTarPath: "/path/to/image.tar",
+			repo:          "",
+			expectedError: true,
+		},
+		{
+			name:          "nonexistent_tarball_fails",
+			sourceTarPath: "/path/that/does/not/exist/image.tar",
+			repo:          "test-repo",
+			expectedError: true,
+		},
+		{
+			name:          "load_image_fails",
+			sourceTarPath: createTestTarball(t),
+			repo:          "test-repo",
+			expectedError: true,
+			mockLoadErr:   fmt.Errorf("load failed"),
+		},
+		{
+			name:          "push_image_fails",
+			sourceTarPath: createTestTarball(t),
+			repo:          "test-repo",
+			expectedError: true,
+			expectedTags:  []string{"latest"},
+			mockPushErr:   fmt.Errorf("push failed"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockPlugin := Plugin{
+				Build: Build{
+					SourceTarPath:   tt.sourceTarPath,
+					Repo:            tt.repo,
+					Tags:            tt.tags,
+					AutoTag:         tt.autoTag,
+					DroneCommitRef:  tt.commitRef,
+					DroneRepoBranch: tt.repoBranch,
+				},
+				LoadImageFromTarball: MockCraneLoad(tt.sourceTarPath, tt.mockLoadErr),
+				PushImageToRegistry:  MockCranePush(tt.mockPushErr),
+			}
+
+			err := mockPlugin.Exec()
+
+			if tt.expectedError {
+				if err == nil {
+					t.Errorf("Expected an error, but got none")
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Unexpected error: %v", err)
+				}
+			}
+		})
+	}
+}
+
+// Helper function to create a test tarball
+func createTestTarball(t *testing.T) string {
+	// Create a temporary directory for the tarball contents
+	tmpDir, err := os.MkdirTemp("", "test-tarball-*")
+	if err != nil {
+		t.Fatalf("Failed to create temp directory: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	// Create a minimal `manifest.json` file with a valid hash
+	manifestPath := filepath.Join(tmpDir, "manifest.json")
+	manifestContent := `[{
+		"Config": "config.json",
+		"RepoTags": ["test-repo:latest"],
+		"Layers": ["layer.tar"]
+	}]`
+	err = os.WriteFile(manifestPath, []byte(manifestContent), 0644)
+	if err != nil {
+		t.Fatalf("Failed to create manifest.json: %v", err)
+	}
+
+	// Create a valid `config.json` file with a dummy hash
+	configPath := filepath.Join(tmpDir, "config.json")
+	configContent := `{
+		"architecture": "amd64",
+		"os": "linux",
+		"rootfs": {
+			"type": "layers",
+			"diff_ids": ["sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]
+		}
+	}`
+	err = os.WriteFile(configPath, []byte(configContent), 0644)
+	if err != nil {
+		t.Fatalf("Failed to create config.json: %v", err)
+	}
+
+	// Create a dummy `layer.tar` file
+	layerPath := filepath.Join(tmpDir, "layer.tar")
+	layerFile, err := os.Create(layerPath)
+	if err != nil {
+		t.Fatalf("Failed to create layer.tar: %v", err)
+	}
+	defer layerFile.Close()
+	_, err = layerFile.Write([]byte("dummy layer content"))
+	if err != nil {
+		t.Fatalf("Failed to write to layer.tar: %v", err)
+	}
+
+	// Create a tarball from the temp directory
+	tarballPath := filepath.Join(os.TempDir(), "test-image.tar")
+	tarballFile, err := os.Create(tarballPath)
+	if err != nil {
+		t.Fatalf("Failed to create tarball: %v", err)
+	}
+	defer tarballFile.Close()
+
+	tw := tar.NewWriter(tarballFile)
+	defer tw.Close()
+
+	err = filepath.Walk(tmpDir, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		relPath, _ := filepath.Rel(tmpDir, path)
+		if relPath == "." {
+			return nil
+		}
+
+		header, err := tar.FileInfoHeader(info, path)
+		if err != nil {
+			return err
+		}
+		header.Name = relPath
+
+		if err := tw.WriteHeader(header); err != nil {
+			return err
+		}
+
+		if !info.IsDir() {
+			fileContent, err := os.ReadFile(path)
+			if err != nil {
+				return err
+			}
+			_, err = tw.Write(fileContent)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to write tarball: %v", err)
+	}
+
+	return tarballPath
+}
@@ -0,0 +1,71 @@
+package kaniko
+
+import (
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+)
+
+func MockCraneLoad(path string, loadErr error) func(string) (v1.Image, error) {
+	return func(inputPath string) (v1.Image, error) {
+		if loadErr != nil {
+			return nil, loadErr
+		}
+		return &mockImage{}, nil
+	}
+}
+
+func MockCranePush(pushErr error) func(v1.Image, string) error {
+	return func(img v1.Image, dest string) error {
+		if pushErr != nil {
+			return pushErr
+		}
+		return nil
+	}
+}
+
+// mockImage is a mock implementation of v1.Image interface
+type mockImage struct{}
+
+func (m *mockImage) Size() (int64, error) {
+	return 0, nil
+}
+
+func (m *mockImage) RawConfigFile() ([]byte, error) {
+	return nil, nil
+}
+
+func (m *mockImage) Digest() (v1.Hash, error) {
+	return v1.Hash{}, nil
+}
+
+func (m *mockImage) Manifest() (*v1.Manifest, error) {
+	return nil, nil
+}
+
+func (m *mockImage) RawManifest() ([]byte, error) {
+	return nil, nil
+}
+
+func (m *mockImage) LayerByDigest(hash v1.Hash) (v1.Layer, error) {
+	return nil, nil
+}
+
+func (m *mockImage) LayerByDiffID(hash v1.Hash) (v1.Layer, error) {
+	return nil, nil
+}
+
+func (m *mockImage) Layers() ([]v1.Layer, error) {
+	return nil, nil
+}
+
+func (m *mockImage) MediaType() (types.MediaType, error) {
+	return "", nil
+}
+
+func (m *mockImage) ConfigFile() (*v1.ConfigFile, error) {
+	return nil, nil
+}
+
+func (m *mockImage) ConfigName() (v1.Hash, error) {
+	return v1.Hash{}, nil
+}
@@ -53,20 +53,3 @@ func TestConfig(t *testing.T) {
 	assert.Equal(t, c.Auths, configFromFile.Auths)
 	assert.Equal(t, c.CredHelpers, configFromFile.CredHelpers)
 }
-
-func TestWriteDockerConfig(t *testing.T) {
-	tempDir, err := ioutil.TempDir("", "docker-config-test")
-	assert.NoError(t, err)
-	defer os.RemoveAll(tempDir)
-
-	data := []byte(`{"auths":{"https://index.docker.io/v1/":{"auth":"dGVzdDpwYXNzd29yZA=="}}}`)
-	err = WriteDockerConfig(data, tempDir)
-	assert.NoError(t, err)
-
-	configPath := filepath.Join(tempDir, "config.json")
-	_, err = os.Stat(configPath)
-	assert.NoError(t, err)
-
-	err = WriteDockerConfig(data, "/invalid/path")
-	assert.Error(t, err)
-}
@@ -4,9 +4,15 @@ import (
 	"github.com/joho/godotenv"
 )

-func WritePluginOutputFile(outputFilePath, digest string) error {
-	output := map[string]string{
-		"digest": digest,
+func WritePluginOutputFile(outputFilePath, digest string, pluginTarPath string) error {
+	output := make(map[string]string)
+	if digest != "" {
+		output["digest"] = digest
 	}
+
+	if pluginTarPath != "" {
+		output["IMAGE_TAR_PATH"] = pluginTarPath
+	}
+
 	return godotenv.Write(output, outputFilePath)
 }
@@ -0,0 +1,145 @@
+package output
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestWritePluginOutputFile(t *testing.T) {
+	tests := []struct {
+		name        string
+		outputPath  string
+		digest      string
+		tarPath     string
+		setup       func(string) error
+		cleanup     func(string) error
+		expectError bool
+		privileged  bool
+	}{
+		{
+			name:       "valid_output_privileged",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  true,
+		},
+		{
+			name:       "valid_output_unprivileged",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  false,
+		},
+		{
+			name:       "digest_only",
+			outputPath: "",
+			digest:     "sha256:test",
+			tarPath:    "",
+			setup: func(path string) error {
+				tmpDir, err := os.MkdirTemp("", "test-output")
+				if err != nil {
+					return err
+				}
+				os.Setenv("DRONE_WORKSPACE", tmpDir)
+				return nil
+			},
+			cleanup: func(path string) error {
+				tmpDir := os.Getenv("DRONE_WORKSPACE")
+				os.Unsetenv("DRONE_WORKSPACE")
+				return os.RemoveAll(tmpDir)
+			},
+			expectError: false,
+			privileged:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Skip privileged tests if not running as root
+			if tt.privileged && os.Getuid() != 0 {
+				t.Skip("Skipping privileged test as not running as root")
+			}
+
+			if err := tt.setup(tt.outputPath); err != nil {
+				t.Fatalf("Setup failed: %v", err)
+			}
+			defer tt.cleanup(tt.outputPath)
+
+			tmpDir := os.Getenv("DRONE_WORKSPACE")
+			var outputPath, tarPath string
+			switch tt.name {
+			case "valid_output_privileged", "valid_output_unprivileged":
+				outputPath = filepath.Join(tmpDir, "test", "output.env")
+				tarPath = filepath.Join(tmpDir, "test", "image.tar")
+			case "invalid_output_path":
+				outputPath = filepath.Join("/root", "test", "output.env")
+				tarPath = filepath.Join("/root", "test", "image.tar")
+			case "digest_only":
+				outputPath = filepath.Join(tmpDir, "test", "output.env")
+				tarPath = ""
+			}
+
+			err := os.MkdirAll(filepath.Dir(outputPath), 0755)
+			if err != nil {
+				t.Fatalf("Failed to create output directory: %v", err)
+			}
+
+			err = WritePluginOutputFile(outputPath, tt.digest, tarPath)
+
+			if tt.expectError && err == nil {
+				t.Error("Expected error, got none")
+			}
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error, got: %v", err)
+			}
+
+			if !tt.expectError && err == nil {
+				content, err := os.ReadFile(outputPath)
+				if err != nil {
+					t.Fatalf("Failed to read output file: %v", err)
+				}
+
+				if tt.digest != "" && !contains(string(content), tt.digest) {
+					t.Error("Expected digest in output file")
+				}
+
+				if tarPath != "" && !contains(string(content), tarPath) {
+					t.Error("Expected tar path in output file")
+				}
+			}
+		})
+	}
+}
+
+func contains(content, substring string) bool {
+	return len(substring) > 0 && content != "" && content != "\n" && content != "\r\n"
+}
Author	SHA1	Message	Date
OP (oppenheimer)	a8c364c9e7	update kaniko-executor base image to 1.25.0 from chaingaurds maintained fork (#150 )	2025-07-03 19:14:28 +05:30
OP (oppenheimer)	a879280371	push-only support to Kaniko ACR (#148 )	2025-06-03 22:17:47 +05:30
OP (oppenheimer)	809fadc203	feat: [CI-17517]: Add push-only support for Kaniko-GAR (#147 ) * Add push-only support to Kaniko-GAR * Refactor GAR authentication and crane push to use Application Default Credentials * Add robust GAR authentication with Docker config and crane options * GAR authentication setup and remove redundant logging statements	2025-05-13 21:30:09 +05:30
ompragash.viswanathan@harness.io	87ca9fe1b7	Update pipeline drone-kaniko-harness	2025-05-12 20:38:33 +05:30
OP (oppenheimer)	a091f2ad04	ECR auth for push-only operation + code refactoring (#144 )	2025-04-25 18:11:30 +05:30
OP (oppenheimer)	af2add0aa5	Update pipeline drone-kaniko-harness (#143 )	2025-04-09 19:24:48 +05:30
OP (oppenheimer)	58bd727c07	feat: [CI-16588]: Add support to PLUGIN_TAR_PATH, PLUGIN_SOURCE_TAR_PATH and PLUGIN_PUSH_ONLY to kaniko-ecr (#141 ) * Add support for tar-path, source-tar-path and push-only operations * Updated cmd/kaniko-ecr/main.go * Updated cmd/kaniko-ecr/main.go * Update cmd/kaniko-ecr/main.go	2025-03-24 21:31:18 +05:30
ci-reporunner	a73b8ee28d	Update pipeline drone-kaniko-harness (#142 ) Co-authored-by: ompragash.viswanathan@harness.io <ompragash.viswanathan@harness.io>	2025-03-20 19:10:13 +05:30
OP (oppenheimer)	b826c7f408	feat: [CI-16392]: Authenticate And Pull Private Base Images when NO_PUSH is enabled (#140 )	2025-03-06 20:32:35 +05:30
ci-reporunner	e56198f84c	Create pipeline drone-kaniko-harness (#136 )	2025-03-04 19:18:44 +05:30
Devansh Mathur	d6153866df	feat: [CI-16330]: Adding default OutputFile as DRONE_OUTPUT. (#139 ) * Adding default OutputFile as DRONE_OUTPUT. * Removing if checks and optimizing setting up of default OutputFile as DRONE_OUTPUT.	2025-03-03 18:05:21 +05:30
OP (oppenheimer)	30e1ea9fd8	Update main.go (#138 )	2025-02-07 14:28:32 +05:30
OP (oppenheimer)	0fb726616e	feat: [CI-16193]: Support multiple ignore paths (#137 ) * add new input ignore_paths to accept multiple values * Support new input ignore_paths to all the supported versions of Kaniko	2025-02-07 11:46:23 +05:30
OP (oppenheimer)	334f6191d1	Add Push-only support to Kaniko (Docker) (#135 )	2024-12-20 11:17:28 +05:30
sahithibanda01	a3af953651	fix: [CI-14845]: support for build args which has comma seperated values (#133 )	2024-11-29 13:12:39 +05:30
Anshika Anand	e6ab8aa3c0	feat:[CI-15236]: Added IMAGE_TAR_PATH as output variable for the plugin. (#132 ) * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Test commit. * feat:[CI-15236]: Test commit. * feat:[CI-15236]: Added PLUGIN_TAR_PATH as output variable for the plugin. * feat:[CI-15236]: Directory check and UTs. * Update pkg/output/output.go * feat:[CI-15236]: fixes * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: Test fixes - removed root * feat:[CI-15236]: If tarPath directory no present it will create it. * feat:[CI-15236]: If tarPath directory no present it will create it. * feat:[CI-15236]: fixes * Update kaniko.go removed as getTarPath is only called when tarPath isn't empty --------- Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>	2024-11-28 18:31:10 +05:30
Abhay	113a61b0e1	feat: [Ci-14242]: add oidc support for ecr (#131 ) * feat: [Ci-14242]: add oidc support for ecr * fix: [CI-14242]: error handling for oidc kakniko-ecr	2024-10-17 01:51:09 +05:30
rahkumar56	982c141391	feat: [CI-13961]: Upgraded gcr.io/kaniko-project/executor version to v1.23.2. (#125 )	2024-09-09 11:23:40 +05:30
Aishwarya Lad	f41d7cb836	upgrade kaniko version for chmod on ADD and COPY (#121 )	2024-07-10 19:44:09 +05:30
rahkumar56	a71177d4b4	fix: [CI-13178]: Upgrade go version with minor version to 1.22.4 (#120 )	2024-07-10 16:06:42 +05:30
rahkumar56	5582e3ed7c	feat: [CI-13178]: GO version upgrade from 1.22.0 to 1.22.4. (#119 )	2024-07-03 12:30:41 +05:30
Hemanth Mantri	4c0f781999	[CI-13182]: Use snapshot-mode instead of snapshotMode (#118 ) The kaniko flag `snapshotMode` is deprecated in favor of `snapshot-mode`. The default value of `snapshot-mode` is `full`. As a result, the `optimize` flag set in Harness CI's `BuildAndPushToDocker` steps doesn't behave as expected because the `full` mode triggers a full filesystem scan which is slow. The `optimize` flag in Harness translates to `snapshot-mode=redo` which means only filesystem deltas are compared which is much faster. This change fixes the flag name being sent to Kaniko executor. I verified that the executor present in the current version already supports this flag as shown below: ``` hemanthkumarmantri@Hemanth Kumar harness-core % docker run -it --entrypoint /kaniko/executor plugins/kaniko:1.8.10 --help \| grep snapshot-mode --snapshot-mode string Change the file attributes inspected during snapshotting (default "full") --snapshotMode string This flag is deprecated. Please use '--snapshot-mode'. ```	2024-07-01 14:06:19 -07:00
Abhay	20525e5403	feat: [CI-10849]: add git-leaks support (#113 ) * feat: [CI-10849]: add git-leaks support * correct reference	2024-05-10 12:38:31 +01:00
Aishwarya Lad	04885c8ec8	fix tests (#117 )	2024-05-01 15:14:04 -04:00