Add container build workflows with composite action

- Create composite action: .forgejo/actions/build-push-image
- Add build-runner.yaml workflow (triggers on Dockerfile changes)
- Add build-devpi.yaml workflow (triggers on Dockerfile/start.sh changes)
- Mount Docker socket in runner deployment for container builds
- Run runner as root to access Docker socket

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.forgejo/actions/build-push-image/action.yaml

@@ -0,0 +1,47 @@
+name: 'Build and Push Image'
+description: 'Build a container image and push to zot registry'
+
+inputs:
+  context:
+    description: 'Build context path'
+    required: true
+  dockerfile:
+    description: 'Dockerfile path (relative to context)'
+    required: false
+    default: 'Dockerfile'
+  image_name:
+    description: 'Image name (without registry, e.g. blumeops/devpi)'
+    required: true
+  tag:
+    description: 'Image tag'
+    required: false
+    default: 'latest'
+  registry:
+    description: 'Registry URL'
+    required: false
+    default: 'registry.tail8d86e.ts.net'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Build image
+      shell: bash
+      run: |
+        docker build \
+          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
+          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
+          -f ${{ inputs.context }}/${{ inputs.dockerfile }} \
+          ${{ inputs.context }}
+
+    - name: Push to registry
+      shell: bash
+      run: |
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
+
+    - name: Verify push
+      shell: bash
+      run: |
+        echo "✅ Pushed: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}"
+        echo "✅ Pushed: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
+        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq .

.forgejo/workflows/build-devpi.yaml

@@ -0,0 +1,23 @@
+name: Build devpi Image
+
+on:
+  push:
+    paths:
+      - 'argocd/manifests/devpi/Dockerfile'
+      - 'argocd/manifests/devpi/start.sh'
+      - '.forgejo/workflows/build-devpi.yaml'
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build and push
+        uses: ./.forgejo/actions/build-push-image
+        with:
+          context: argocd/manifests/devpi
+          image_name: blumeops/devpi

.forgejo/workflows/build-runner.yaml

@@ -0,0 +1,23 @@
+name: Build Runner Image
+
+on:
+  push:
+    paths:
+      - 'argocd/manifests/forgejo-runner/Dockerfile'
+      - '.forgejo/actions/build-push-image/**'
+      - '.forgejo/workflows/build-runner.yaml'
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build and push
+        uses: ./.forgejo/actions/build-push-image
+        with:
+          context: argocd/manifests/forgejo-runner
+          image_name: blumeops/forgejo-runner

argocd/manifests/forgejo-runner/deployment.yaml

@@ -48,6 +48,8 @@ spec:
               mountPath: /data
             - name: runner-config
               mountPath: /config
+            - name: docker-sock
+              mountPath: /var/run/docker.sock
           resources:
             requests:
               memory: "256Mi"
@@ -55,9 +57,16 @@ spec:
             limits:
               memory: "1Gi"
               cpu: "1000m"
+          securityContext:
+            # Run as root to access Docker socket
+            runAsUser: 0
       volumes:
         - name: runner-data
           emptyDir: {}
         - name: runner-config
           configMap:
             name: forgejo-runner-config
+        - name: docker-sock
+          hostPath:
+            path: /var/run/docker.sock
+            type: Socket