ci: use kaniko executor for docker builds

Docker, podman, and buildah all fail in the runner container due to missing /proc/self/uid_map (no user namespace support). Kaniko is designed specifically for building Docker images inside containers without privileged access, Docker daemon, or user namespaces. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 10:51:42 +00:00
parent 6cfab7432a
commit 0dac2c2f1d
1 changed files with 22 additions and 26 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -150,44 +150,40 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - name: Install buildah and skopeo
-        run: sudo apt-get update && sudo apt-get install -y buildah skopeo
+      - name: Install kaniko
+        run: |
+          curl -sL "https://github.com/GoogleContainerTools/kaniko/releases/download/v1.23.2/executor-v1.23.2-linux-amd64.tar.gz" \
+            -o /tmp/kaniko.tar.gz
+          sudo tar xzf /tmp/kaniko.tar.gz -C /usr/local/bin executor
+          sudo chmod +x /usr/local/bin/executor

      - name: Build & push mcpd
        run: |
-          buildah build --isolation chroot --storage-driver vfs \
-            -t mcpd:latest -f deploy/Dockerfile.mcpd .
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
-            containers-storage:[vfs@/var/lib/containers/storage]mcpd:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpd:latest
+          executor --dockerfile=deploy/Dockerfile.mcpd \
+            --context=dir://. \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/mcpd:latest \
+            --insecure --skip-tls-verify

      - name: Build & push node-runner
        run: |
-          buildah build --isolation chroot --storage-driver vfs \
-            -t node-runner:latest -f deploy/Dockerfile.node-runner .
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
-            containers-storage:[vfs@/var/lib/containers/storage]node-runner:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-node-runner:latest
+          executor --dockerfile=deploy/Dockerfile.node-runner \
+            --context=dir://. \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-node-runner:latest \
+            --insecure --skip-tls-verify

      - name: Build & push python-runner
        run: |
-          buildah build --isolation chroot --storage-driver vfs \
-            -t python-runner:latest -f deploy/Dockerfile.python-runner .
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
-            containers-storage:[vfs@/var/lib/containers/storage]python-runner:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-python-runner:latest
+          executor --dockerfile=deploy/Dockerfile.python-runner \
+            --context=dir://. \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/mcpctl-python-runner:latest \
+            --insecure --skip-tls-verify

      - name: Build & push docmost-mcp
        run: |
-          buildah build --isolation chroot --storage-driver vfs \
-            -t docmost-mcp:latest -f deploy/Dockerfile.docmost-mcp .
-          skopeo copy --src-tls-verify=false --dest-tls-verify=false \
-            --dest-creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
-            containers-storage:[vfs@/var/lib/containers/storage]docmost-mcp:latest \
-            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/docmost-mcp:latest
+          executor --dockerfile=deploy/Dockerfile.docmost-mcp \
+            --context=dir://. \
+            --destination=${{ env.REGISTRY }}/${{ env.OWNER }}/docmost-mcp:latest \
+            --insecure --skip-tls-verify

      - name: Link packages to repository
        env: