From 07d44a4c85fc44f5edc2b6ba4f62919921ebac08 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Sun, 1 Mar 2026 17:41:37 -0600
Subject: [PATCH] fix(ci): use Kaniko for base image build (no privileged mode)

---
 .woodpecker/base-image.yml | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/.woodpecker/base-image.yml b/.woodpecker/base-image.yml
index 8fa1f29..6b7242f 100644
--- a/.woodpecker/base-image.yml
+++ b/.woodpecker/base-image.yml
@@ -3,16 +3,25 @@ when:
   - event: cron
     cron: weekly-base-image
 
+variables:
+  - &kaniko_setup |
+    mkdir -p /kaniko/.docker
+    echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json
+
 steps:
   build-base:
-    image: woodpeckerci/plugin-docker-buildx:latest
-    privileged: true
-    settings:
-      registry: git.mosaicstack.dev
-      repo: git.mosaicstack.dev/mosaic/node-base
-      tags: 24-slim
-      dockerfile: docker/base.Dockerfile
-      username:
-        from_secret: gitea_user
-      password:
+    image: gcr.io/kaniko-project/executor:debug
+    environment:
+      GITEA_USER:
+        from_secret: gitea_username
+      GITEA_TOKEN:
         from_secret: gitea_token
+    commands:
+      - *kaniko_setup
+      - /kaniko/executor
+          --context .
+          --dockerfile docker/base.Dockerfile
+          --destination git.mosaicstack.dev/mosaic/node-base:24-slim
+          --destination git.mosaicstack.dev/mosaic/node-base:latest
+          --cache=true
+          --cache-repo git.mosaicstack.dev/mosaic/node-base/cache
-- 
2.49.1