ci: use kaniko executor for docker builds

Docker, podman, and buildah all fail in the runner container due to
missing /proc/self/uid_map (no user namespace support). Kaniko is
designed specifically for building Docker images inside containers
without privileged access, Docker daemon, or user namespaces.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -150,44 +150,40 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Install buildah and skopeo
+      - name: Install kaniko
-        run: sudo apt-get update && sudo apt-get install -y buildah skopeo
+        run: |
+          curl -sL "https://github.com/GoogleContainerTools/kaniko/releases/download/v1.23.2/executor-v1.23.2-linux-amd64.tar.gz" \
+            -o /tmp/kaniko.tar.gz
+          sudo tar xzf /tmp/kaniko.tar.gz -C /usr/local/bin executor
+          sudo chmod +x /usr/local/bin/executor
 
       - name: Build & push mcpd
         run: |
-          buildah build --isolation chroot --storage-driver vfs \
+          executor --dockerfile=deploy/Dockerfile.mcpd \
-            -t mcpd:latest -f deploy/Dockerfile.mcpd .
+            --context=dir://. \
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/mcpd:latest \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
+            --insecure --skip-tls-verify
-            containers-storage:[vfs@/var/lib/containers/storage]mcpd:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpd:latest
 
       - name: Build & push node-runner
         run: |
-          buildah build --isolation chroot --storage-driver vfs \
+          executor --dockerfile=deploy/Dockerfile.node-runner \
-            -t node-runner:latest -f deploy/Dockerfile.node-runner .
+            --context=dir://. \
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-node-runner:latest \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
+            --insecure --skip-tls-verify
-            containers-storage:[vfs@/var/lib/containers/storage]node-runner:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-node-runner:latest
 
       - name: Build & push python-runner
         run: |
-          buildah build --isolation chroot --storage-driver vfs \
+          executor --dockerfile=deploy/Dockerfile.python-runner \
-            -t python-runner:latest -f deploy/Dockerfile.python-runner .
+            --context=dir://. \
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-python-runner:latest \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
+            --insecure --skip-tls-verify
-            containers-storage:[vfs@/var/lib/containers/storage]python-runner:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-python-runner:latest
 
       - name: Build & push docmost-mcp
         run: |
-          buildah build --isolation chroot --storage-driver vfs \
+          executor --dockerfile=deploy/Dockerfile.docmost-mcp \
-            -t docmost-mcp:latest -f deploy/Dockerfile.docmost-mcp .
+            --context=dir://. \
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/docmost-mcp:latest \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
+            --insecure --skip-tls-verify
-            containers-storage:[vfs@/var/lib/containers/storage]docmost-mcp:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/docmost-mcp:latest
 
       - name: Link packages to repository
         env: