Changed from Docker daemon/privileged: true

.woodpecker.yml

@@ -6,6 +6,7 @@ name: prod-promotion
 steps:
   - name: promote-tag-and-mirror
     image: google/cloud-sdk:latest
+    privileged: true
     entrypoint:
       - bash
       - -c
@@ -19,8 +20,15 @@ steps:
         DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
 
          apt-get update -qq
-        apt-get install -y -qq docker.io
+         apt-get install -y -qq skopeo
-        gcloud auth configure-docker us-central1-docker.pkg.dev -q
+         TOKEN="$(gcloud auth print-access-token)"
+         for s in server1 server2 server3 nginx; do
+          skopeo copy --insecure-policy \
+            --src-creds  "oauth2accesstoken:${TOKEN}" \
+            --dest-creds "oauth2accesstoken:${TOKEN}" \
+            "docker://${SRC}/${s}:${IMG_TAG}" \
+            "docker://${DST}/${s}:${IMG_TAG}"
+         done
 
         for svc in server1 server2 server3 nginx; do
           docker pull "$SRC/$svc:$IMG_TAG"
@@ -33,6 +41,7 @@ steps:
         echo "🏷  Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
 
   - name: verify-sync
+    privileged: true
     depends_on: [promote-tag-and-mirror]
     image: google/cloud-sdk:latest
     entrypoint:
@@ -47,14 +56,16 @@ steps:
         echo "✅ Tag parity confirmed: $IMG_TAG"
         # Ensure images truly exist in PROD AR
         DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
-        apt-get update -qq && apt-get install -y -qq docker.io
+        apt-get update -qq && apt-get install -y -qq skopeo
-        gcloud auth configure-docker us-central1-docker.pkg.dev -q
+        TOKEN="$(gcloud auth print-access-token)"
-        for svc in server1 server2 server3 nginx; do
+        for s in server1 server2 server3 nginx; do
-          docker pull "$DST/$svc:$IMG_TAG" >/dev/null
+          skopeo inspect --creds "oauth2accesstoken:${TOKEN}" \
+            "docker://${DST}/${s}:${IMG_TAG}" >/dev/null
         done
         echo "✅ Prod AR has all images at :$IMG_TAG"
 
   - name: security-scan
+    privileged: true
     depends_on: [verify-sync]
     image: google/cloud-sdk:latest
     entrypoint:
@@ -75,14 +86,15 @@ steps:
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
         export PATH="$PATH:$(pwd)/bin"
 
-        gcloud auth configure-docker us-central1-docker.pkg.dev -q
+        TOKEN="$(gcloud auth print-access-token)"
 
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
+        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
+        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
+        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
+        trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
 
   - name: prod-deploy
+    privileged: true
     depends_on: [security-scan]
     image: google/cloud-sdk:latest
     entrypoint: