Unable to push when using Gitlab CI_COMMIT_TAG variable

[acodemics]

Actual behavior Using Kaniko in my gitlab-ci.yml file to build and push images on new tags -

deploy-docker:
  stage: deploy
  rules:
    - if: $CI_COMMIT_TAG
  image: 
    name: gcr.io/kaniko-project/executor:v1.23.2-debug
    entrypoint: [""]
  script:
    - IMAGE_TAG="namespace/project:$CI_COMMIT_TAG"
    - echo $IMAGE_TAG
    - cat ${DOCKER_HUB_AUTH} > /kaniko/.docker/config.json
    - /kaniko/executor
      --context="${CI_PROJECT_DIR}"
      --dockerfile="./Dockerfile"
      --destination="$IMAGE_TAG"
      --build-arg CI_TOKEN="${CI_JOB_TOKEN}"
      --verbosity debug

Whenver I use $CI_COMMIT_TAG Kaniko fails to build with the following error -

$ IMAGE_TAG="namespace/project:$CI_COMMIT_TAG"
$ echo $IMAGE_TAG
namespace/project:v1.0.24
$ cat ${DOCKER_HUB_AUTH} > /kaniko/.docker/config.json
$ /kaniko/executor --context="${CI_PROJECT_DIR}" --dockerfile="./Dockerfile" --destination="$IMAGE_TAG" --build-arg CI_TOKEN="${CI_JOB_TOKEN}" --verbosity debug
DEBU[0000] Copying file /builds/namespace/project/Dockerfile to /kaniko/Dockerfile 
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "namespace/project:v1.0.24": POST https://index.docker.io/v2/namespace/project/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:namespace/project Type:repository] map[Action:push Class: Name:namespace/project Type:repository]]

I have tried various different ways of setting the destination string and it always fails whenever the variable $CI_COMMIT_TAG is in use. If I hardcode the tag name it works correctly, if I try using a different Gitlab CI variable such as $CI_COMMIT_SHORT_SHA it works correctly and pushes to Docker hub.

As you can see in the CI log the git tag is available and not empty, it can be echo'd correctly.

Expected behavior I expect to be able to push to Docker hub with a git tag as set via Gitlab CI as a CI variable.

To Reproduce Attempt to run a Kaniko build using gitlab CI $CI_COMMIT_TAG environment variable.

[mzihlmann]

do you configure credentials for https://index.docker.io or for https://registry-1.docker.io? also passing in CI_JOB_TOKEN as a build-arg is a bad idea as it will invalidate cache every time (you're not using caching in the example but you might consider). You can store the token in a file in /kaniko folder or in anywhere if you pass the ignore for it. Basically everything that exists before kaniko starts is treated implicitly as a secret mount, just fyi.

- echo ${CI_JOB_TOKEN} > /root/.netrc
- /kaniko/executor --ignore-path=/root/.netrc ...