feat: Update templates to use Kaniko for rootless builds

Replace Docker-in-Docker (privileged mode) with Kaniko for container builds. This allows CI pipelines to run without requiring trusted repo status in Woodpecker. - astro-landing: Use Kaniko with from_secret for registry auth - go-api: Use Kaniko with from_secret for registry auth - default: Use Kaniko with from_secret for registry auth Kaniko builds and pushes images without requiring privileged mode, making it compatible with Woodpecker's default security settings. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 18:44:24 -07:00 · 2026-01-28 18:44:24 -07:00 · 4d2076d144
commit 4d2076d144
parent 9e3c1c3806
3 changed files with 49 additions and 46 deletions
--- a/internal/adapter/templates/templates/astro-landing/.woodpecker.yml
+++ b/internal/adapter/templates/templates/astro-landing/.woodpecker.yml
@ -14,22 +14,23 @@ steps:
      - event: [push, pull_request]

  docker:
-    image: docker:24-dind
-    privileged: true
+    image: gcr.io/kaniko-project/executor:debug
    commands:
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:latest .
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8} .
-    when:
-      - event: push
-
-  push:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - echo "$ZOT_PASSWORD" | docker login zot.orchard9.ai -u "$ZOT_USER" --password-stdin
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:latest
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
-    secrets: [zot_user, zot_password]
+      - |
+        mkdir -p /kaniko/.docker
+        echo "{\"auths\":{\"zot.orchard9.ai\":{\"username\":\"$ZOT_USER\",\"password\":\"$ZOT_PASSWORD\"}}}" > /kaniko/.docker/config.json
+      - >
+        /kaniko/executor
+        --context .
+        --dockerfile Dockerfile
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:latest
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
+        --cache=true
+    environment:
+      ZOT_USER:
+        from_secret: zot_user
+      ZOT_PASSWORD:
+        from_secret: zot_password
    when:
      - event: push
        branch: main
--- a/internal/adapter/templates/templates/default/.woodpecker.yml
+++ b/internal/adapter/templates/templates/default/.woodpecker.yml
@ -1,21 +1,22 @@
 steps:
-  build:
-    image: docker:24-dind
-    privileged: true
+  docker:
+    image: gcr.io/kaniko-project/executor:debug
    commands:
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:latest .
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8} .
-    when:
-      - event: push
-
-  push:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - echo "$ZOT_PASSWORD" | docker login zot.orchard9.ai -u "$ZOT_USER" --password-stdin
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:latest
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
-    secrets: [zot_user, zot_password]
+      - |
+        mkdir -p /kaniko/.docker
+        echo "{\"auths\":{\"zot.orchard9.ai\":{\"username\":\"$ZOT_USER\",\"password\":\"$ZOT_PASSWORD\"}}}" > /kaniko/.docker/config.json
+      - >
+        /kaniko/executor
+        --context .
+        --dockerfile Dockerfile
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:latest
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
+        --cache=true
+    environment:
+      ZOT_USER:
+        from_secret: zot_user
+      ZOT_PASSWORD:
+        from_secret: zot_password
    when:
      - event: push
        branch: main
--- a/internal/adapter/templates/templates/go-api/.woodpecker.yml
+++ b/internal/adapter/templates/templates/go-api/.woodpecker.yml
@ -14,22 +14,23 @@ steps:
      - event: [push, pull_request]

  docker:
-    image: docker:24-dind
-    privileged: true
+    image: gcr.io/kaniko-project/executor:debug
    commands:
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:latest .
-      - docker build -t zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8} .
-    when:
-      - event: push
-
-  push:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - echo "$ZOT_PASSWORD" | docker login zot.orchard9.ai -u "$ZOT_USER" --password-stdin
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:latest
-      - docker push zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
-    secrets: [zot_user, zot_password]
+      - |
+        mkdir -p /kaniko/.docker
+        echo "{\"auths\":{\"zot.orchard9.ai\":{\"username\":\"$ZOT_USER\",\"password\":\"$ZOT_PASSWORD\"}}}" > /kaniko/.docker/config.json
+      - >
+        /kaniko/executor
+        --context .
+        --dockerfile Dockerfile
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:latest
+        --destination zot.orchard9.ai/{{PROJECT_NAME}}:${CI_COMMIT_SHA:0:8}
+        --cache=true
+    environment:
+      ZOT_USER:
+        from_secret: zot_user
+      ZOT_PASSWORD:
+        from_secret: zot_password
    when:
      - event: push
        branch: main