Build Docker image with Kaniko

This eliminates the dependency on the host Docker daemon, thus allowing
us to no longer mount it to the runner's workloads and thus securing
everything.

.gitea/workflows/docker.yml

@@ -1,4 +1,5 @@
 name: Build and publish Docker image
+
 on:
   push:
   pull_request:
@@ -19,28 +20,30 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Log in to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Extract metadata (tags, labels) for Docker
+      - name: Generate suitable tag for kaniko
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+      - name: Extract tag for kaniko action
+        id: tag
+        env:
+          TAG: ${{ steps.meta.outputs.tags[0] }}
+        run: |
+          echo "::set-output name=tag::${TAG##*:}"
+
+
+      - name: Build Docker image with kaniko
+        uses: https://code.thetadev.de/ThetaDev/action-kaniko@dbb8da86cf2d498dde8ec1b3be967ceda17a21ff
         with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: |
-            linux/amd64
+          image: ${{ env.IMAGE_NAME }}
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          tag: ${{ steps.tag.outputs.tag }}
+          platforms: linux/amd64
+          tag_with_latest: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
 
       - name: Trigger redeployment
         if: gitea.ref == 'refs/heads/main'