From 4d2076d144afd2b98f48aae0127dbd1156c94384 Mon Sep 17 00:00:00 2001
From: jordan <jordan.washburn@gmail.com>
Date: Wed, 28 Jan 2026 18:44:24 -0700
Subject: [PATCH] feat: Update templates to use Kaniko for rootless builds

Replace Docker-in-Docker (privileged mode) with Kaniko for container
builds. This allows CI pipelines to run without requiring trusted
repo status in Woodpecker.

- astro-landing: Use Kaniko with from_secret for registry auth
- go-api: Use Kaniko with from_secret for registry auth
- default: Use Kaniko with from_secret for registry auth

Kaniko builds and pushes images without requiring privileged mode,
making it compatible with Woodpecker's default security settings.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../templates/astro-landing/.woodpecker.yml   | 31 ++++++++---------
 .../templates/default/.woodpecker.yml         | 33 ++++++++++---------
 .../templates/go-api/.woodpecker.yml          | 31 ++++++++---------
 3 files changed, 49 insertions(+), 46 deletions(-)

diff --git a/internal/adapter/templates/templates/astro-landing/.woodpecker.yml b/internal/adapter/templates/templates/astro-landing/.woodpecker.yml
index a1114f4..fc7438c 100644
--- a/internal/adapter/templates/templates/astro-landing/.woodpecker.yml
+++ b/internal/adapter/templates/templates/astro-landing/.woodpecker.yml
@@ -14,22 +14,23 @@ steps:
       - event: [push, pull_request]
 
   docker:
-    image: docker:24-dind
-    privileged: true
+    image: gcr.io/kaniko-project/executor:debug
     commands:
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:latest .
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8} .
-    when:
-      - event: push
-
-  push:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - echo "$ZOT_PASSWORD" | docker login zot.orchard9.ai -u "$ZOT_USER" --password-stdin
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:latest
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
-    secrets: [zot_user, zot_password]
+      - |
+        mkdir -p /kaniko/.docker
+        echo "{\"auths\":{\"zot.orchard9.ai\":{\"username\":\"$ZOT_USER\",\"password\":\"$ZOT_PASSWORD\"}}}" > /kaniko/.docker/config.json
+      - >
+        /kaniko/executor
+        --context .
+        --dockerfile Dockerfile
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:latest
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
+        --cache=true
+    environment:
+      ZOT_USER:
+        from_secret: zot_user
+      ZOT_PASSWORD:
+        from_secret: zot_password
     when:
       - event: push
         branch: main
diff --git a/internal/adapter/templates/templates/default/.woodpecker.yml b/internal/adapter/templates/templates/default/.woodpecker.yml
index 94f0cae..70275fe 100644
--- a/internal/adapter/templates/templates/default/.woodpecker.yml
+++ b/internal/adapter/templates/templates/default/.woodpecker.yml
@@ -1,21 +1,22 @@
 steps:
-  build:
-    image: docker:24-dind
-    privileged: true
+  docker:
+    image: gcr.io/kaniko-project/executor:debug
     commands:
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:latest .
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8} .
-    when:
-      - event: push
-
-  push:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - echo "$ZOT_PASSWORD" | docker login zot.orchard9.ai -u "$ZOT_USER" --password-stdin
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:latest
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
-    secrets: [zot_user, zot_password]
+      - |
+        mkdir -p /kaniko/.docker
+        echo "{\"auths\":{\"zot.orchard9.ai\":{\"username\":\"$ZOT_USER\",\"password\":\"$ZOT_PASSWORD\"}}}" > /kaniko/.docker/config.json
+      - >
+        /kaniko/executor
+        --context .
+        --dockerfile Dockerfile
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:latest
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
+        --cache=true
+    environment:
+      ZOT_USER:
+        from_secret: zot_user
+      ZOT_PASSWORD:
+        from_secret: zot_password
     when:
       - event: push
         branch: main
diff --git a/internal/adapter/templates/templates/go-api/.woodpecker.yml b/internal/adapter/templates/templates/go-api/.woodpecker.yml
index 0cd3c17..b38af65 100644
--- a/internal/adapter/templates/templates/go-api/.woodpecker.yml
+++ b/internal/adapter/templates/templates/go-api/.woodpecker.yml
@@ -14,22 +14,23 @@ steps:
       - event: [push, pull_request]
 
   docker:
-    image: docker:24-dind
-    privileged: true
+    image: gcr.io/kaniko-project/executor:debug
     commands:
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:latest .
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8} .
-    when:
-      - event: push
-
-  push:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - echo "$ZOT_PASSWORD" | docker login zot.orchard9.ai -u "$ZOT_USER" --password-stdin
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:latest
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
-    secrets: [zot_user, zot_password]
+      - |
+        mkdir -p /kaniko/.docker
+        echo "{\"auths\":{\"zot.orchard9.ai\":{\"username\":\"$ZOT_USER\",\"password\":\"$ZOT_PASSWORD\"}}}" > /kaniko/.docker/config.json
+      - >
+        /kaniko/executor
+        --context .
+        --dockerfile Dockerfile
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:latest
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
+        --cache=true
+    environment:
+      ZOT_USER:
+        from_secret: zot_user
+      ZOT_PASSWORD:
+        from_secret: zot_password
     when:
       - event: push
         branch: main