ci: add --registry-mirror=mirror.gcr.io to all kaniko build steps

Kaniko has its own HTTP client and ignores the dind --registry-mirror flag.
Passing --registry-mirror=mirror.gcr.io directly to kaniko lets it pull
python:3.11-slim (and other Docker Hub base images) via Google's mirror
instead of the Cloudflare CDN endpoint (172.64.66.1) which is unreachable
from the runner's dind network.

Also adds mirror to dind deployment args (--registry-mirror=https://mirror.gcr.io)
so node:16-bullseye (the job runner container) is also fetched via mirror.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -33,7 +33,7 @@ jobs:
           tag: ${{ steps.tag.outputs.TAG }}
           path: .
           build_file: Dockerfile
-          extra_args: --insecure --skip-tls-verify
+          extra_args: --insecure --skip-tls-verify --registry-mirror=mirror.gcr.io
 
       - name: Build and push API image
         uses: aevea/action-kaniko@master
@@ -45,7 +45,7 @@ jobs:
           tag: ${{ steps.tag.outputs.TAG }}
           path: .
           build_file: Dockerfile.api
-          extra_args: --insecure --skip-tls-verify
+          extra_args: --insecure --skip-tls-verify --registry-mirror=mirror.gcr.io
 
       - name: Build and push dashboard image
         uses: aevea/action-kaniko@master
@@ -57,7 +57,7 @@ jobs:
           tag: ${{ steps.tag.outputs.TAG }}
           path: dashboard
           build_file: Dockerfile
-          extra_args: --insecure --skip-tls-verify
+          extra_args: --insecure --skip-tls-verify --registry-mirror=mirror.gcr.io
 
       - name: Update k8s manifests
         run: |