From 9a6c43edfc705a1994e9074865fa2835bac8ac37 Mon Sep 17 00:00:00 2001
From: Dalton Alvarenga <dalton.alvarenga@familiapires.com.br>
Date: Wed, 6 May 2026 10:19:19 -0300
Subject: [PATCH] fix(ci): build com Kaniko (sem Docker daemon, sem Cloud
 Build, sem IAM novo)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Job 1 (build) roda dentro da imagem gcr.io/kaniko-project/executor:debug
e usa _json_key auth do AR. Job 2 (deploy) é runner default + kubectl
e depende do build via 'needs'.
---
 .gitea/workflows/cd.yml | 60 ++++++++++++++++++++++++++++++-----------
 1 file changed, 45 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/cd.yml b/.gitea/workflows/cd.yml
index e1307bb..e5b0ece 100644
--- a/.gitea/workflows/cd.yml
+++ b/.gitea/workflows/cd.yml
@@ -6,16 +6,53 @@ on:
   pull_request:
 
 env:
-  IMAGE_BASE: ${{ secrets.AR_LOCATION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/${{ secrets.AR_REPO }}
+  IMG: ${{ secrets.AR_LOCATION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/${{ secrets.AR_REPO }}/${{ gitea.event.repository.name }}:lab-${{ gitea.run_number }}
 
 jobs:
+  # Build + push da imagem usando Kaniko (sem Docker daemon, sem Cloud Build).
+  # Roda dentro da imagem oficial do Kaniko que tem busybox + binary executor.
   build:
     runs-on: ubuntu-latest
+    container:
+      image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Auth Artifact Registry + Build & Push (kaniko)
+        run: |
+          set -e
+          mkdir -p /kaniko/.docker
+          # Grava a chave da SA em arquivo via heredoc (preserva quebras/aspas)
+          cat > /tmp/sa.json <<'__SA_EOF__'
+          ${{ secrets.GCP_SA_KEY }}
+          __SA_EOF__
+          # Docker config: Basic Auth com user `_json_key` + JSON da SA
+          AUTH_B64=$(printf '_json_key:%s' "$(cat /tmp/sa.json)" | base64 -w0)
+          cat > /kaniko/.docker/config.json <<EOF
+          {
+            "auths": {
+              "${{ secrets.AR_LOCATION }}-docker.pkg.dev": { "auth": "${AUTH_B64}" }
+            }
+          }
+          EOF
+          /kaniko/executor \
+            --context dir://. \
+            --dockerfile Dockerfile \
+            --destination "${IMG}" \
+            --cache=true \
+            --cache-ttl=168h \
+            --snapshot-mode=redo \
+            --use-new-run
+
+  # Deploy só roda em push pra master/main, depois do build OK.
+  # Usa runner default (node:18-bullseye) — instala kubectl + gke-auth-plugin.
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name == 'push'
     steps:
       - uses: actions/checkout@v4
 
-      # Instala kubectl + auth plugin (gcloud já vem via setup-gcloud).
-      # Build é feito remoto via Cloud Build (não precisa Docker no runner).
       - name: Install kubectl + gke-auth-plugin
         run: |
           apt-get update -qq
@@ -36,31 +73,24 @@ jobs:
         with:
           project_id: ${{ secrets.GCP_PROJECT }}
 
-      - name: Build & push (Cloud Build, sem Docker local)
-        run: |
-          IMG="${IMAGE_BASE}/${{ gitea.event.repository.name }}:lab-${{ gitea.run_number }}"
-          gcloud builds submit --tag "$IMG" --project=${{ secrets.GCP_PROJECT }} --timeout=30m
-          echo "IMG=$IMG" >> $GITHUB_ENV
-
-      - name: Deploy hml2 (apenas em push pra master/main)
-        if: github.event_name == 'push'
+      - name: Deploy hml2
         env:
           USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
         run: |
           gcloud container clusters get-credentials ${{ secrets.GKE_CLUSTER }} --region ${{ secrets.GKE_REGION }} --project ${{ secrets.GCP_PROJECT }}
           NS=${{ secrets.K8S_NAMESPACE }}
 
-          # 1) Aplica manifests (idempotente — cria PVC/Service/Ingress/Deployment se faltarem)
+          # 1) Aplica manifests (idempotente)
           if [ -d k8s ]; then
             kubectl apply -n "$NS" -f k8s/
           fi
 
-          # 2) Atualiza image
+          # 2) Atualiza imagem
           DEPLOYMENT="${{ gitea.event.repository.name }}-deployment"
           if kubectl get deployment "$DEPLOYMENT" -n "$NS" >/dev/null 2>&1; then
             CONTAINER=$(kubectl get deployment "$DEPLOYMENT" -n "$NS" -o jsonpath='{.spec.template.spec.containers[0].name}')
-            kubectl set image deployment/"$DEPLOYMENT" -n "$NS" "$CONTAINER=$IMG"
+            kubectl set image deployment/"$DEPLOYMENT" -n "$NS" "$CONTAINER=${IMG}"
             kubectl rollout status deployment/"$DEPLOYMENT" -n "$NS" --timeout=600s
           else
-            echo "Deployment $DEPLOYMENT não existe no ns $NS — pulei set image (provavelmente é o 1º deploy e o kubectl apply acabou de criar)"
+            echo "Deployment $DEPLOYMENT não existe — kubectl apply acabou de criar (1º deploy)"
           fi