penpot: introduce ci for building custom penpot images

This is in preparation for building penpot images with custom patches
applied.

.woodpecker/penpot.yaml

@@ -0,0 +1,91 @@
+when:
+  - event: push
+    path: 
+      - 'penpot/**'
+      - '.woodpecker/penpot.yaml'
+  - event: cron
+    cron: daily
+
+# Manually set a workspace path, so we can use it literally, without using
+# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
+# https://github.com/woodpecker-ci/woodpecker/issues/3982
+workspace:
+  path: src
+
+# Use matrix to set PENPOT_VERSION instead of setting the PENPOT_VERSION as an
+# environment variable in the build-images step, since string substitution
+# doesn't work for custom environment variables.
+# https://github.com/woodpecker-ci/woodpecker/issues/3983
+# Also because global environment variables aren't a thing.
+matrix:
+  PENPOT_VERSION:
+    - 2.1.2
+  IMAGE_BASE_NAME:
+    - git.hamburg.ccc.de/ccchh/oci-images/penpot
+  IMAGE_TYPE:
+    - frontend
+    - backend
+    - exporter
+
+steps:
+  - name: setup-image-path
+    image: alpine
+    commands:
+      - mkdir /woodpecker/images
+
+  - name: setup-penpot-repo
+    image: alpine
+    commands:
+      - apk -u add git curl
+      - git clone --branch $PENPOT_VERSION https://github.com/penpot/penpot.git /woodpecker/penpot
+      - cd /woodpecker/penpot
+      - git submodule update --init --recursive
+      # Get build system patch allowing for building images with kaniko.
+      # https://github.com/penpot/penpot/pull/4945
+      # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
+      - curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
+      - git config user.name "Woodpecker"
+      - git config user.email "woodpecker@woodpecker.invalid"
+      - git am *.patch
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor
+    entrypoint:
+      - /kaniko/executor
+      - --context=dir:///woodpecker/penpot
+      - --dockerfile=./docker/images/Dockerfile.${IMAGE_TYPE}
+      - --destination=${IMAGE_BASE_NAME}/${IMAGE_TYPE}:${PENPOT_VERSION}
+      - --no-push
+      - --tar-path=/woodpecker/images/penpot-${IMAGE_TYPE}.tar
+
+  - name: publish-image
+    image: docker.io/library/alpine
+    secrets:
+      - GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane push /woodpecker/images/penpot-$IMAGE_TYPE.tar $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH
+
+  - name: tag-version
+    image: docker.io/library/alpine
+    when:
+      - branch: main
+    secrets:
+      - GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH $PENPOT_VERSION
+
+  - name: tag-latest
+    image: docker.io/library/alpine
+    when:
+      - branch: main
+        evaluate: 'PENPOT_VERSION == "2.1.2"'
+    secrets:
+      - GIT_API_TOKEN
+    commands:
+      - apk -u add crane
+      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH latest

README.md

@@ -11,4 +11,7 @@ Tools in use:
 ## Images
 
 - `git.hamburg.ccc.de/CCCHH/oci-images/keycloak`
-- `git.hamburg.ccc.de/CCCHH/oci-images/nextcloud`
+- `git.hamburg.ccc.de/CCCHH/oci-images/nextcloud`
+- `git.hamburg.ccc.de/CCCHH/oci-images/penpot/frontend`
+- `git.hamburg.ccc.de/CCCHH/oci-images/penpot/backend`
+- `git.hamburg.ccc.de/CCCHH/oci-images/penpot/exporter`