From 554fe27a791305d04d6cddb2aba1db7fbac0edeb Mon Sep 17 00:00:00 2001
From: ITQ <itq.dev@ya.ru>
Date: Fri, 21 Nov 2025 15:31:47 +0300
Subject: [PATCH] chore: switched build impl to buildah

---
 .gitlab-ci.yml | 160 ++++++++++++++++++++++++-------------------------
 1 file changed, 78 insertions(+), 82 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2217a36..5268fc2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,8 +7,6 @@ stages:
 
 variables:
   BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
-  DOCKER_DRIVER: overlay2
-  DOCKER_TLS_CERTDIR: ""
   TRIVY_CACHE_DIR: .cache/trivy
   TRIVY_NO_PROGRESS: "true"
   TRIVY_TIMEOUT: "10m0s"
@@ -17,6 +15,8 @@ variables:
   TRIVY_REGISTRY: $CI_REGISTRY
   UV_PROJECT_ENVIRONMENT: .venv
   UV_CACHE_DIR: .cache/uv
+  BUILDAH_ISOLATION: oci
+  STORAGE_DRIVER: vfs
 
 cache:
   key: "${CI_COMMIT_REF_SLUG}"
@@ -26,12 +26,12 @@ cache:
     - $UV_PROJECT_ENVIRONMENT
   policy: pull-push
 
-.docker-job: &docker-job
-  image: docker:28.5
-  services:
-    - docker:28.5-dind
+.buildah-job: &buildah-job
+  image: quay.io/containers/buildah:latest
+  variables:
+    STORAGE_DRIVER: vfs
   before_script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+    - buildah login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
 
 .trivy-fs-template: &trivy-fs-scan
   stage: security
@@ -116,20 +116,18 @@ cache:
       when: on_success
 
 .build-template: &build-config
-  <<: *docker-job
+  <<: *buildah-job
   stage: build
-  variables:
-    DOCKER_BUILDKIT: 1
-    BUILDKIT_INLINE_CACHE: 1
   script:
     - |
-      docker buildx create --use
-      docker buildx build . \
-        -t $IMAGE_NAME:$CI_COMMIT_SHA \
-        -f $CONTAINERFILE --target $BUILDTARGET --push \
-        --cache-from type=registry,ref=$IMAGE_NAME-cache \
-        --cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \
-        --build-arg BUILDKIT_INLINE_CACHE=1
+      buildah build . \
+        --tag $IMAGE_NAME:$CI_COMMIT_SHA \
+        --file $CONTAINERFILE \
+        --target $BUILDTARGET \
+        --layers \
+        --cache-from $IMAGE_NAME-cache \
+        --cache-to $IMAGE_NAME-cache
+    - buildah push $IMAGE_NAME:$CI_COMMIT_SHA
   rules:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
       when: always
@@ -140,26 +138,24 @@ cache:
       allow_failure: true
 
 .tag-template: &tag-config
-  <<: *docker-job
+  <<: *buildah-job
   stage: tag
   script:
     - |
       set -euo pipefail
-      IMAGE="$IMAGE_NAME:$CI_COMMIT_SHA"
-      docker pull "$IMAGE"
-
+      
       if [ -n "${CI_COMMIT_TAG:-}" ]; then
-        docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_TAG"
-        docker push "$IMAGE_NAME:$CI_COMMIT_TAG"
+        buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_TAG
+        buildah push $IMAGE_NAME:$CI_COMMIT_TAG
       fi
 
       if [ -n "${CI_COMMIT_BRANCH:-}" ]; then
-        docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
-        docker push "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
+        buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_REF_SLUG
+        buildah push $IMAGE_NAME:$CI_COMMIT_REF_SLUG
 
         if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
-          docker tag "$IMAGE" "$IMAGE_NAME:latest"
-          docker push "$IMAGE_NAME:latest"
+          buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:latest
+          buildah push $IMAGE_NAME:latest
         fi
       fi
   rules:
@@ -219,61 +215,61 @@ lint:
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
     - if: $CI_COMMIT_TAG
 
-test:
-  <<: *docker-job
-  stage: test
-  variables:
-    COMPOSE_PROFILES: |
-      --profile migrations
-      --profile tests
-  script:
-    - apk add --no-cache docker-compose
-    - export PROFILES="$(printf '%s ' $COMPOSE_PROFILES)"
-    - cp "$TEST_STAGE_FIREBASE_CONF" ./infrastructure/configs/backend/firebase.json
-    - |
-      (
-        while true; do
-          docker compose -f compose.yaml $PROFILES logs -f 2>&1
-          sleep 1
-        done
-      ) | tee -a compose.log &
-    - LOGS_PID=$!
-    - |
-      REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
-      docker compose -f compose.yaml -f compose.prod.yaml \
-      $PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
-    - |
-      TEST_CONTAINER_ID=$(docker compose -f compose.yaml $PROFILES ps -q tests -a)
-      timeout 600 docker wait $TEST_CONTAINER_ID
-      TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID)
+# test:
+#   <<: *docker-job
+#   stage: test
+#   variables:
+#     COMPOSE_PROFILES: |
+#       --profile migrations
+#       --profile tests
+#   script:
+#     - apk add --no-cache docker-compose
+#     - export PROFILES="$(printf '%s ' $COMPOSE_PROFILES)"
+#     - cp "$TEST_STAGE_FIREBASE_CONF" ./infrastructure/configs/backend/firebase.json
+#     - |
+#       (
+#         while true; do
+#           docker compose -f compose.yaml $PROFILES logs -f 2>&1
+#           sleep 1
+#         done
+#       ) | tee -a compose.log &
+#     - LOGS_PID=$!
+#     - |
+#       REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
+#       docker compose -f compose.yaml -f compose.prod.yaml \
+#       $PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
+#     - |
+#       TEST_CONTAINER_ID=$(docker compose -f compose.yaml $PROFILES ps -q tests -a)
+#       timeout 600 docker wait $TEST_CONTAINER_ID
+#       TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID)
 
-      if [ $TEST_EXIT_CODE -eq 0 ]; then
-        echo "Tests passed."
-      else
-        echo "Tests failed with exit code $TEST_EXIT_CODE."
-        exit 1
-      fi
-    - |
-      docker compose -f compose.yaml $PROFILES down
-    - cat .cov/coverage.txt
-  artifacts:
-    paths:
-      - ./.cov
-      - ./compose.log
-    reports:
-      coverage_report:
-        coverage_format: cobertura
-        path: .cov/coverage.xml
-    expire_in: 1 week
-    when: always
-  coverage: /TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
-  dependencies:
-    - build-runtime
-    - build-tests
-    - build-migrations
+#       if [ $TEST_EXIT_CODE -eq 0 ]; then
+#         echo "Tests passed."
+#       else
+#         echo "Tests failed with exit code $TEST_EXIT_CODE."
+#         exit 1
+#       fi
+#     - |
+#       docker compose -f compose.yaml $PROFILES down
+#     - cat .cov/coverage.txt
+#   artifacts:
+#     paths:
+#       - ./.cov
+#       - ./compose.log
+#     reports:
+#       coverage_report:
+#         coverage_format: cobertura
+#         path: .cov/coverage.xml
+#     expire_in: 1 week
+#     when: always
+#   coverage: /TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/
+#   rules:
+#     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+#     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+#   dependencies:
+#     - build-runtime
+#     - build-tests
+#     - build-migrations
 
 sast-filesystem:
   <<: *trivy-fs-scan