fix(ci): use Kaniko for base image build (no privileged mode)

.woodpecker/base-image.yml

@@ -3,16 +3,25 @@ when:
   - event: cron
     cron: weekly-base-image
 
+variables:
+  - &kaniko_setup |
+    mkdir -p /kaniko/.docker
+    echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json
+
 steps:
   build-base:
-    image: woodpeckerci/plugin-docker-buildx:latest
+    image: gcr.io/kaniko-project/executor:debug
-    privileged: true
+    environment:
-    settings:
+      GITEA_USER:
-      registry: git.mosaicstack.dev
+        from_secret: gitea_username
-      repo: git.mosaicstack.dev/mosaic/node-base
+      GITEA_TOKEN:
-      tags: 24-slim
-      dockerfile: docker/base.Dockerfile
-      username:
-        from_secret: gitea_user
-      password:
         from_secret: gitea_token
+    commands:
+      - *kaniko_setup
+      - /kaniko/executor
+          --context .
+          --dockerfile docker/base.Dockerfile
+          --destination git.mosaicstack.dev/mosaic/node-base:24-slim
+          --destination git.mosaicstack.dev/mosaic/node-base:latest
+          --cache=true
+          --cache-repo git.mosaicstack.dev/mosaic/node-base/cache