From fb609d40e39de5b21ba67dc08a180b34fdafc0ea Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Mon, 16 Feb 2026 19:56:34 -0600
Subject: [PATCH] fix: use Kaniko --snapshot-mode=redo to fix apt GPG errors in
 CI

Kaniko's default full-filesystem snapshots corrupt GPG verification
state, causing "invalid signature" errors during apt-get update on
Debian bookworm (node:24-slim). Using --snapshot-mode=redo avoids
this by recalculating layer diffs instead of taking full snapshots.

Also keeps the rm -rf /var/lib/apt/lists/* guard in Dockerfiles as
a defense-in-depth measure against stale base-image APT metadata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .woodpecker/api.yml          | 2 +-
 .woodpecker/coordinator.yml  | 2 +-
 .woodpecker/infra.yml        | 4 ++--
 .woodpecker/orchestrator.yml | 2 +-
 .woodpecker/web.yml          | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.woodpecker/api.yml b/.woodpecker/api.yml
index 9918e32..7d01e3e 100644
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -154,7 +154,7 @@ steps:
         elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:dev"
         fi
-        /kaniko/executor --context . --dockerfile apps/api/Dockerfile $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
       - branch: [main, develop]
         event: [push, manual, tag]
diff --git a/.woodpecker/coordinator.yml b/.woodpecker/coordinator.yml
index 1af4c5f..fa1aa8d 100644
--- a/.woodpecker/coordinator.yml
+++ b/.woodpecker/coordinator.yml
@@ -95,7 +95,7 @@ steps:
         elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:dev"
         fi
-        /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile $DESTINATIONS
+        /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
       - branch: [main, develop]
         event: [push, manual, tag]
diff --git a/.woodpecker/infra.yml b/.woodpecker/infra.yml
index 230bfbc..881fb83 100644
--- a/.woodpecker/infra.yml
+++ b/.woodpecker/infra.yml
@@ -39,7 +39,7 @@ steps:
         elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:dev"
         fi
-        /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile $DESTINATIONS
+        /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
       - branch: [main, develop]
         event: [push, manual, tag]
@@ -64,7 +64,7 @@ steps:
         elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:dev"
         fi
-        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile $DESTINATIONS
+        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
       - branch: [main, develop]
         event: [push, manual, tag]
diff --git a/.woodpecker/orchestrator.yml b/.woodpecker/orchestrator.yml
index 0640c7b..a3b661d 100644
--- a/.woodpecker/orchestrator.yml
+++ b/.woodpecker/orchestrator.yml
@@ -111,7 +111,7 @@ steps:
         elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:dev"
         fi
-        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
       - branch: [main, develop]
         event: [push, manual, tag]
diff --git a/.woodpecker/web.yml b/.woodpecker/web.yml
index e2f51c3..5345b1f 100644
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@@ -122,7 +122,7 @@ steps:
         elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:dev"
         fi
-        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
     when:
       - branch: [main, develop]
         event: [push, manual, tag]