ci: remplace plugin-docker-buildx par docker:27-cli + socket

Evite le mode privileged (non supporté par YunoHost Woodpecker).
Pattern: write-docker-creds (from_secret) → docker-backend/frontend (volumes).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.woodpecker.yml

@@ -29,45 +29,74 @@ steps:
       - npm ci
       - npm run build
 
-  - name: docker-backend
-    image: woodpeckerci/plugin-docker-buildx
-    privileged: true
+  # NOTE: from_secret + pas de volumes : compatible
+  - name: write-docker-creds
+    image: alpine:3.20
     depends_on:
       - test-backend
-    settings:
-      repo: ${CI_FORGE_URL}/${CI_REPO}/backend
-      dockerfile: docker/backend.Dockerfile
-      context: .
-      tag:
-        - latest
-        - ${CI_COMMIT_SHA:0:8}
-      target: production
-      registry:
-        from_secret: docker_registry
-      username:
-        from_secret: docker_username
-      password:
-        from_secret: docker_password
-
-  - name: docker-frontend
-    image: woodpeckerci/plugin-docker-buildx
-    privileged: true
-    depends_on:
       - test-frontend
-    settings:
-      repo: ${CI_FORGE_URL}/${CI_REPO}/frontend
-      dockerfile: docker/frontend.Dockerfile
-      context: .
-      tag:
-        - latest
-        - ${CI_COMMIT_SHA:0:8}
-      target: production
-      registry:
+    environment:
+      REGISTRY:
         from_secret: docker_registry
-      username:
+      REGISTRY_USER:
         from_secret: docker_username
-      password:
+      REGISTRY_PASS:
         from_secret: docker_password
+    commands:
+      - echo "REGISTRY=$REGISTRY" > .docker-creds
+      - echo "REGISTRY_USER=$REGISTRY_USER" >> .docker-creds
+      - echo "REGISTRY_PASS=$REGISTRY_PASS" >> .docker-creds
+      - echo "Docker creds ecrites"
+
+  # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis.
+  - name: docker-backend
+    image: docker:27-cli
+    depends_on:
+      - write-docker-creds
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - |
+        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
+        REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2)
+        REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2)
+        docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS"
+      - |
+        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
+        SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+        REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z')
+        IMAGE="$REGISTRY/$REPO/backend"
+        docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \
+          -f docker/backend.Dockerfile \
+          --target production \
+          .
+        docker push "$IMAGE:latest"
+        docker push "$IMAGE:$SHA"
+
+  # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis.
+  - name: docker-frontend
+    image: docker:27-cli
+    depends_on:
+      - write-docker-creds
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - |
+        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
+        REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2)
+        REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2)
+        docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS"
+      - |
+        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
+        SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+        REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z')
+        IMAGE="$REGISTRY/$REPO/frontend"
+        docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \
+          -f docker/frontend.Dockerfile \
+          --target production \
+          .
+        docker push "$IMAGE:latest"
+        docker push "$IMAGE:$SHA"
 
   # SBOM — inventaire des dépendances (filesystem scan, pas de registry auth requis)
   - name: sbom-generate