From 08444b41a89389633ed5620b99798772d65d33aa Mon Sep 17 00:00:00 2001
From: 0xWheatyz <wyatt@leeworks.dev>
Date: Fri, 6 Mar 2026 03:07:47 +0000
Subject: [PATCH] feat: replace Kaniko with buildah for container builds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Switch from archived Kaniko to actively maintained buildah
- Use buildah from Alpine repos (no manual binary downloads)
- Replace bash syntax with POSIX sh (case instead of [[ ]])
- buildah works better in unprivileged containerized environments
- Simpler setup: just apk add buildah, no extra configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .gitea/workflows/build.yaml | 81 ++++++++++++++++---------------------
 1 file changed, 34 insertions(+), 47 deletions(-)

diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index 324c257..20cf4d8 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -15,13 +15,7 @@ jobs:
       - name: Install dependencies
         shell: sh
         run: |
-          apk add --no-cache git wget ca-certificates
-
-      - name: Install Kaniko
-        shell: sh
-        run: |
-          wget -O /usr/local/bin/executor https://github.com/GoogleContainerTools/kaniko/releases/download/v1.23.2/executor-linux-amd64
-          chmod +x /usr/local/bin/executor
+          apk add --no-cache git buildah fuse-overlayfs
 
       - name: Checkout code
         shell: sh
@@ -48,54 +42,47 @@ jobs:
           IMAGE_BASE="${REGISTRY}/${REPO_OWNER_LOWER}/${REPO_NAME_LOWER}"
 
           # Determine tag based on ref
-          if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then
-            # Tag push - use the tag name
-            TAG_NAME="${{ gitea.ref_name }}"
-            echo "IMAGE_TAG=${IMAGE_BASE}:${TAG_NAME}" >> $GITHUB_OUTPUT
-            echo "PUSH_LATEST=true" >> $GITHUB_OUTPUT
-          elif [[ "${{ gitea.ref_name }}" == "main" ]]; then
-            # Main branch - use commit SHA (shortened to 7 chars) and latest
-            SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
-            echo "IMAGE_TAG=${IMAGE_BASE}:${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "PUSH_LATEST=true" >> $GITHUB_OUTPUT
-          else
-            # Other branches - use branch name
-            BRANCH_TAG=$(echo "${{ gitea.ref_name }}" | sed 's/\//-/g')
-            echo "IMAGE_TAG=${IMAGE_BASE}:${BRANCH_TAG}" >> $GITHUB_OUTPUT
-            echo "PUSH_LATEST=false" >> $GITHUB_OUTPUT
-          fi
+          case "${{ gitea.ref }}" in
+            refs/tags/*)
+              # Tag push - use the tag name
+              TAG_NAME="${{ gitea.ref_name }}"
+              echo "IMAGE_TAG=${IMAGE_BASE}:${TAG_NAME}" >> $GITHUB_OUTPUT
+              echo "PUSH_LATEST=true" >> $GITHUB_OUTPUT
+              ;;
+            refs/heads/main)
+              # Main branch - use commit SHA (shortened to 7 chars) and latest
+              SHORT_SHA=$(echo "${{ gitea.sha }}" | cut -c1-7)
+              echo "IMAGE_TAG=${IMAGE_BASE}:${SHORT_SHA}" >> $GITHUB_OUTPUT
+              echo "PUSH_LATEST=true" >> $GITHUB_OUTPUT
+              ;;
+            *)
+              # Other branches - use branch name
+              BRANCH_TAG=$(echo "${{ gitea.ref_name }}" | sed 's/\//-/g')
+              echo "IMAGE_TAG=${IMAGE_BASE}:${BRANCH_TAG}" >> $GITHUB_OUTPUT
+              echo "PUSH_LATEST=false" >> $GITHUB_OUTPUT
+              ;;
+          esac
 
           echo "IMAGE_LATEST=${IMAGE_BASE}:latest" >> $GITHUB_OUTPUT
 
-      - name: Setup Kaniko config
+      - name: Login to registry
         shell: sh
         run: |
-          mkdir -p /kaniko/.docker
-          cat > /kaniko/.docker/config.json <<EOF
-          {
-            "auths": {
-              "gitea.leeworks.dev": {
-                "auth": "$(echo -n "${{ gitea.actor }}:${{ secrets.PERSONAL_TOKEN }}" | base64)"
-              }
-            }
-          }
-          EOF
+          echo "${{ secrets.PERSONAL_TOKEN }}" | buildah login --username "${{ gitea.actor }}" --password-stdin gitea.leeworks.dev
 
-      - name: Build and push with Kaniko
+      - name: Build and push with buildah
         shell: sh
         run: |
-          echo "Building and pushing image with Kaniko..."
-          if [[ "${{ steps.tags.outputs.PUSH_LATEST }}" == "true" ]]; then
-            /usr/local/bin/executor \
-              --context=/workspace/${{ gitea.repository }} \
-              --dockerfile=Dockerfile \
-              --destination=${{ steps.tags.outputs.IMAGE_TAG }} \
-              --destination=${{ steps.tags.outputs.IMAGE_LATEST }}
-          else
-            /usr/local/bin/executor \
-              --context=/workspace/${{ gitea.repository }} \
-              --dockerfile=Dockerfile \
-              --destination=${{ steps.tags.outputs.IMAGE_TAG }}
+          echo "Building image with buildah..."
+          buildah bud -t ${{ steps.tags.outputs.IMAGE_TAG }} .
+
+          echo "Pushing image..."
+          buildah push ${{ steps.tags.outputs.IMAGE_TAG }}
+
+          if [ "${{ steps.tags.outputs.PUSH_LATEST }}" = "true" ]; then
+            echo "Tagging and pushing latest..."
+            buildah tag ${{ steps.tags.outputs.IMAGE_TAG }} ${{ steps.tags.outputs.IMAGE_LATEST }}
+            buildah push ${{ steps.tags.outputs.IMAGE_LATEST }}
           fi
 
           echo "Build and push completed successfully!"