From d49b4cd6db612351f5bdaa3d9547ceeab148deb6 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sun, 1 Mar 2026 17:40:58 -0600
Subject: [PATCH] fix(ci): use Kaniko for base image build (no privileged mode
 needed)

---
 .woodpecker/base-image.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .woodpecker/base-image.yml

diff --git a/.woodpecker/base-image.yml b/.woodpecker/base-image.yml
new file mode 100644
index 0000000..6b7242f
--- /dev/null
+++ b/.woodpecker/base-image.yml
@@ -0,0 +1,27 @@
+when:
+  - event: manual
+  - event: cron
+    cron: weekly-base-image
+
+variables:
+  - &kaniko_setup |
+    mkdir -p /kaniko/.docker
+    echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json
+
+steps:
+  build-base:
+    image: gcr.io/kaniko-project/executor:debug
+    environment:
+      GITEA_USER:
+        from_secret: gitea_username
+      GITEA_TOKEN:
+        from_secret: gitea_token
+    commands:
+      - *kaniko_setup
+      - /kaniko/executor
+          --context .
+          --dockerfile docker/base.Dockerfile
+          --destination git.mosaicstack.dev/mosaic/node-base:24-slim
+          --destination git.mosaicstack.dev/mosaic/node-base:latest
+          --cache=true
+          --cache-repo git.mosaicstack.dev/mosaic/node-base/cache
-- 
2.49.1