From fbab2854c618b11b026908978cde1af45feddccb Mon Sep 17 00:00:00 2001
From: Damien Arnodo <damien@noreply.localhost>
Date: Sun, 7 Dec 2025 18:10:21 +0000
Subject: [PATCH] refactor: switch to Kaniko (no daemon, no privileged mode
 needed)

---
 .gitea/workflows/build-images.yml | 48 +++++++++++++------------------
 1 file changed, 20 insertions(+), 28 deletions(-)

diff --git a/.gitea/workflows/build-images.yml b/.gitea/workflows/build-images.yml
index 27bb2d5..9c974a8 100644
--- a/.gitea/workflows/build-images.yml
+++ b/.gitea/workflows/build-images.yml
@@ -38,11 +38,9 @@ jobs:
         id: changes
         run: |
           if [ -n "${{ inputs.image }}" ]; then
-            # Manual trigger - build specific image
             echo "matrix=[\"${{ inputs.image }}\"]" >> $GITHUB_OUTPUT
             echo "has_changes=true" >> $GITHUB_OUTPUT
           else
-            # Auto-detect changed images
             CHANGED=$(git diff --name-only HEAD~1 HEAD -- images/ 2>/dev/null | cut -d'/' -f2 | sort -u | grep -v '^$' || true)
             if [ -z "$CHANGED" ]; then
               echo "has_changes=false" >> $GITHUB_OUTPUT
@@ -60,44 +58,36 @@ jobs:
           echo "Has changes: ${{ steps.changes.outputs.has_changes }}"
 
   # ============================================================================
-  # Job 2 : Build avec Buildkit rootless (100% containerisé)
+  # Job 2 : Build avec Kaniko (100% containerisé, sans daemon Docker)
   # ============================================================================
   build:
     needs: detect-changes
     if: needs.detect-changes.outputs.has_changes == 'true'
     runs-on: docker
     container:
-      image: moby/buildkit:rootless
-      options: --privileged
+      image: gcr.io/kaniko-project/executor:debug
     strategy:
       matrix:
         image: ${{ fromJson(needs.detect-changes.outputs.matrix) }}
     steps:
       - name: Checkout repository
         run: |
-          # Use $HOME to avoid /workspace conflicts
-          WORK_DIR="$HOME/build"
+          # Kaniko debug image has busybox + sh
+          WORK_DIR="/workspace/source"
           rm -rf "$WORK_DIR"
           mkdir -p "$WORK_DIR"
           
-          # Git is included in moby/buildkit image
+          # Clone with git (included in debug image)
           git clone --depth 1 https://gitea.arnodo.fr/${{ gitea.repository }}.git "$WORK_DIR"
-          
-          echo "WORK_DIR=$WORK_DIR" >> $GITHUB_ENV
 
-      - name: Build and push with Buildkit
+      - name: Setup registry auth
         env:
           REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
           REGISTRY_USER: ${{ gitea.actor }}
         run: |
-          cd "$WORK_DIR"
-          IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
-          SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
-          
-          # Create auth config for registry
-          mkdir -p ~/.docker
+          mkdir -p /kaniko/.docker
           AUTH=$(echo -n "${REGISTRY_USER}:${REGISTRY_TOKEN}" | base64 | tr -d '\n')
-          cat > ~/.docker/config.json <<EOF
+          cat > /kaniko/.docker/config.json <<EOF
           {
             "auths": {
               "${{ env.REGISTRY }}": {
@@ -106,19 +96,21 @@ jobs:
             }
           }
           EOF
+
+      - name: Build and push with Kaniko
+        run: |
+          IMAGE_NAME="${{ env.REGISTRY }}/damien/${{ matrix.image }}"
+          SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
           
           echo "Building ${IMAGE_NAME}..."
-          echo "Context: ./images/${{ matrix.image }}"
-          ls -la ./images/${{ matrix.image }}/
           
-          # Build and push with buildctl
-          buildctl-daemonless.sh build \
-            --frontend dockerfile.v0 \
-            --local context=./images/${{ matrix.image }} \
-            --local dockerfile=./images/${{ matrix.image }} \
-            --output type=image,name=${IMAGE_NAME}:latest,push=true \
-            --output type=image,name=${IMAGE_NAME}:${SHORT_SHA},push=true \
-            --opt build-arg:BUILDKIT_INLINE_CACHE=1
+          /kaniko/executor \
+            --dockerfile=/workspace/source/images/${{ matrix.image }}/Dockerfile \
+            --context=/workspace/source/images/${{ matrix.image }} \
+            --destination=${IMAGE_NAME}:latest \
+            --destination=${IMAGE_NAME}:${SHORT_SHA} \
+            --cache=true \
+            --cache-repo=${IMAGE_NAME}-cache
           
           echo "✅ Pushed ${IMAGE_NAME}:latest"
           echo "✅ Pushed ${IMAGE_NAME}:${SHORT_SHA}"