Adopt Dagger CI for container builds (Phase 1) (#156)

## Summary

- Add Dagger Python module (`.dagger/`) with `build` and `publish` functions for container images
- Replace Docker buildx + skopeo composite action with `dagger call publish` in `build-container.yaml`
- BuildKit's native push is compatible with Zot — **skopeo workaround eliminated**
- Add Dagger CLI (v0.19.11) to forgejo-runner Dockerfile, bump runner to v2.6.0
- Bootstrap step in workflow curl-installs dagger if not in runner (for first build on v2.5.1 runner)
- Delete old `.forgejo/actions/build-push-image/` composite action
- Add GPLv3 LICENSE

## Verified locally

- `dagger call build --src=. --container-name=nettest` — builds ✓
- `dagger call publish --src=. --container-name=nettest --version=dagger-test` — pushed to Zot ✓
- `dagger call build --src=. --container-name=forgejo-runner` — new runner image builds ✓
- Dagger CLI accessible inside built runner image ✓

## Deployment sequence (after merge)

1. `mise run container-tag-and-release forgejo-runner v2.6.0` — old runner bootstraps dagger via curl, builds new runner
2. `argocd app sync forgejo-runner` — runner restarts with v2.6.0 (dagger baked in)
3. `mise run container-tag-and-release nettest v0.13.0` — end-to-end test of new pipeline
4. `mise run container-list` — verify tags

## Not included (future phases)

- Phase 2: docs build + Forgejo packages migration
- Phase 3: runner simplification (remove skopeo, Node.js, etc.)
- Phase 4: future workflows

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/156

.forgejo/actions/build-push-image/action.yaml

@@ -1,67 +0,0 @@
-name: 'Build and Push Image'
-description: 'Build a container image with Docker and push to registry.ops.eblu.me using skopeo'
-
-# Note: Uses skopeo for push because Docker 27's manifest format has compatibility
-# issues with zot registry. Skopeo handles manifest conversion correctly.
-
-inputs:
-  context:
-    description: 'Build context path'
-    required: true
-  dockerfile:
-    description: 'Dockerfile path (relative to context)'
-    required: false
-    default: 'Dockerfile'
-  image_name:
-    description: 'Image name (without registry, e.g. blumeops/devpi)'
-    required: true
-  version:
-    description: 'Version tag (e.g. v1.0.0)'
-    required: true
-  registry:
-    description: 'Registry URL'
-    required: false
-    default: 'registry.ops.eblu.me'
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Build image
-      shell: bash
-      run: |
-        echo "Building ${{ inputs.image_name }}:${{ inputs.version }}"
-        docker buildx build \
-          --tag ${{ inputs.image_name }}:${{ inputs.version }} \
-          --file ${{ inputs.context }}/${{ inputs.dockerfile }} \
-          ${{ inputs.context }}
-
-    - name: Push to registry
-      shell: bash
-      run: |
-        echo "Saving image to tarball..."
-        docker save ${{ inputs.image_name }}:${{ inputs.version }} -o /tmp/image.tar
-
-        echo "Installing skopeo..."
-        apk add --no-cache skopeo >/dev/null 2>&1 || apt-get update && apt-get install -y skopeo >/dev/null 2>&1 || true
-
-        echo "Pushing ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}"
-        skopeo copy \
-          docker-archive:/tmp/image.tar \
-          docker://${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}
-
-        echo "Pushing ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
-        skopeo copy \
-          docker-archive:/tmp/image.tar \
-          docker://${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
-
-        rm -f /tmp/image.tar
-
-    - name: Summary
-      shell: bash
-      run: |
-        echo "Built and pushed:"
-        echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}"
-        echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
-        echo ""
-        echo "Registry tags:"
-        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq -r '.tags[]' 2>/dev/null | sort -V | tail -10 || true

.forgejo/workflows/build-container.yaml

@@ -2,6 +2,8 @@
 # Triggers on tags matching: <container>-v<version>
 # Builds from containers/<container>/Dockerfile if it exists
 #
+# Uses Dagger to build and push images to the Zot registry.
+#
 # Examples:
 #   nettest-v1.0.0  -> builds containers/nettest/
 #   devpi-v2.1.0    -> builds containers/devpi/
@@ -45,7 +47,6 @@ jobs:
           if [ -f "$CONTEXT/Dockerfile" ]; then
             echo "Found $CONTEXT/Dockerfile"
             echo "exists=true" >> "$GITHUB_OUTPUT"
-            echo "context=$CONTEXT" >> "$GITHUB_OUTPUT"
           else
             echo "No Dockerfile found at $CONTEXT/Dockerfile"
             echo "exists=false" >> "$GITHUB_OUTPUT"
@@ -67,10 +68,22 @@ jobs:
           echo ""
           echo "Skipping build."
 
-      - name: Build and push image
+      - name: Ensure Dagger CLI
         if: steps.check.outputs.exists == 'true'
-        uses: ./.forgejo/actions/build-push-image
-        with:
-          context: ${{ steps.check.outputs.context }}
-          image_name: blumeops/${{ steps.parse.outputs.container }}
-          version: ${{ steps.parse.outputs.version }}
+        run: |
+          # Bootstrap: install dagger if not already in the runner image.
+          # Remove once all runners include dagger (Phase 3).
+          if ! command -v dagger &>/dev/null; then
+            echo "Dagger not found, installing..."
+            curl -fsSL https://dl.dagger.io/dagger/install.sh | DAGGER_VERSION=0.19.11 sh
+            mv ./bin/dagger /usr/local/bin/dagger && rmdir ./bin
+          fi
+          dagger version
+
+      - name: Publish
+        if: steps.check.outputs.exists == 'true'
+        run: |
+          dagger call publish \
+            --src=. \
+            --container-name=${{ steps.parse.outputs.container }} \
+            --version=${{ steps.parse.outputs.version }}