From 0357261289b60a2d6bf89d07265a7d1570d2847b Mon Sep 17 00:00:00 2001
From: Erdenebat Tsenddorj <erdenebatt@gmail.com>
Date: Wed, 21 Jan 2026 21:20:53 +0800
Subject: [PATCH] fix: use Kaniko instead of privileged Docker

- Replace docker:dind with Kaniko for rootless builds
- Remove deprecated secrets syntax
- Combine build and push steps

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .woodpecker.yaml | 64 ++++++++++++++++++++----------------------------
 1 file changed, 27 insertions(+), 37 deletions(-)

diff --git a/.woodpecker.yaml b/.woodpecker.yaml
index 4ea5c5d..e1eab46 100644
--- a/.woodpecker.yaml
+++ b/.woodpecker.yaml
@@ -6,51 +6,41 @@ when:
     branch: main
 
 steps:
-  # 1. Backend Docker image build
+  # 1. Backend Docker image build & push
   build-backend:
-    image: docker:24-dind
-    privileged: true
+    image: gcr.io/kaniko-project/executor:latest
     commands:
-      - 'docker build -t hell-world-backend:${CI_COMMIT_SHA:0:8} ./backend'
-      - 'docker tag hell-world-backend:${CI_COMMIT_SHA:0:8} registry.gecore.mn/library/hell-world-backend:${CI_COMMIT_SHA:0:8}'
-      - 'docker tag hell-world-backend:${CI_COMMIT_SHA:0:8} registry.gecore.mn/library/hell-world-backend:latest'
+      - >
+        /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=backend/Dockerfile
+        --destination=registry.gecore.mn/library/hell-world-backend:${CI_COMMIT_SHA:0:8}
+        --destination=registry.gecore.mn/library/hell-world-backend:latest
+        --cache=true
+    environment:
+      DOCKER_CONFIG: /kaniko/.docker
+    when:
+      event: push
+      branch: main
 
-  # 2. Frontend Docker image build
+  # 2. Frontend Docker image build & push
   build-frontend:
-    image: docker:24-dind
-    privileged: true
+    image: gcr.io/kaniko-project/executor:latest
     commands:
-      - 'docker build -t hell-world-frontend:${CI_COMMIT_SHA:0:8} ./frontend'
-      - 'docker tag hell-world-frontend:${CI_COMMIT_SHA:0:8} registry.gecore.mn/library/hell-world-frontend:${CI_COMMIT_SHA:0:8}'
-      - 'docker tag hell-world-frontend:${CI_COMMIT_SHA:0:8} registry.gecore.mn/library/hell-world-frontend:latest'
-
-  # 3. Push backend to Harbor registry
-  push-backend:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - 'echo "$HARBOR_PASSWORD" | docker login registry.gecore.mn -u "$HARBOR_USER" --password-stdin'
-      - 'docker push registry.gecore.mn/library/hell-world-backend:${CI_COMMIT_SHA:0:8}'
-      - 'docker push registry.gecore.mn/library/hell-world-backend:latest'
-    secrets: [harbor_user, harbor_password]
+      - >
+        /kaniko/executor
+        --context=/woodpecker/src
+        --dockerfile=frontend/Dockerfile
+        --destination=registry.gecore.mn/library/hell-world-frontend:${CI_COMMIT_SHA:0:8}
+        --destination=registry.gecore.mn/library/hell-world-frontend:latest
+        --cache=true
+    environment:
+      DOCKER_CONFIG: /kaniko/.docker
     when:
       event: push
       branch: main
 
-  # 4. Push frontend to Harbor registry
-  push-frontend:
-    image: docker:24-dind
-    privileged: true
-    commands:
-      - 'echo "$HARBOR_PASSWORD" | docker login registry.gecore.mn -u "$HARBOR_USER" --password-stdin'
-      - 'docker push registry.gecore.mn/library/hell-world-frontend:${CI_COMMIT_SHA:0:8}'
-      - 'docker push registry.gecore.mn/library/hell-world-frontend:latest'
-    secrets: [harbor_user, harbor_password]
-    when:
-      event: push
-      branch: main
-
-  # 5. Update Kubernetes manifests with new image tags
+  # 3. Update Kubernetes manifests with new image tags
   update-manifests:
     image: alpine:latest
     commands:
@@ -66,7 +56,7 @@ steps:
       event: push
       branch: main
 
-  # 6. Deploy notification
+  # 4. Deploy notification
   notify:
     image: alpine:latest
     commands: