Switch to Buildah for container builds (#51)

## Summary - Replace Docker with Buildah for container image builds - No Docker socket required - buildah is daemonless - Cleaner security model (no privileged containers or socket mounting) - Remove Docker-related security context from deployment ## Changes - Update Dockerfile to install buildah/podman instead of docker-cli - Configure buildah storage with overlay driver and fuse-overlayfs - Update composite action to use `buildah bud` and `buildah push` - Add `imagePullPolicy: Always` to ensure fresh image pulls - Update test workflow to verify buildah/podman ## Testing - [ ] Runner pod starts successfully - [ ] Buildah is available in runner - [ ] Test workflow verifies buildah/podman versions - [ ] Container build workflow builds and pushes to zot 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/51
2026-01-24 13:30:26 -08:00 · 2026-01-24 13:30:26 -08:00 · 8ca8798121
commit 8ca8798121
parent 5fcd122494
23 changed files with 366 additions and 163 deletions
--- a/.forgejo/actions/build-push-image/action.yaml
+++ b/.forgejo/actions/build-push-image/action.yaml
@ -0,0 +1,54 @@
+name: 'Build and Push Image'
+description: 'Build a container image with Docker and push to zot registry'
+
+# TODO: Investigate zot tag immutability to prevent overwriting released versions
+# See: https://zotregistry.dev/v2.1.1/articles/immutable-tags/
+
+inputs:
+  context:
+    description: 'Build context path'
+    required: true
+  dockerfile:
+    description: 'Dockerfile path (relative to context)'
+    required: false
+    default: 'Dockerfile'
+  image_name:
+    description: 'Image name (without registry, e.g. blumeops/devpi)'
+    required: true
+  version:
+    description: 'Version tag (e.g. v1.0.0)'
+    required: true
+  registry:
+    description: 'Registry URL'
+    required: false
+    default: 'registry.tail8d86e.ts.net'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Build image with Docker
+      shell: bash
+      run: |
+        echo "Building ${{ inputs.image_name }}:${{ inputs.version }}"
+        docker build \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }} \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
+          --file ${{ inputs.context }}/${{ inputs.dockerfile }} \
+          ${{ inputs.context }}
+
+    - name: Push to registry
+      shell: bash
+      run: |
+        echo "Pushing ${{ inputs.image_name }}:${{ inputs.version }}"
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
+
+    - name: Summary
+      shell: bash
+      run: |
+        echo "Built and pushed:"
+        echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}"
+        echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
+        echo ""
+        echo "Registry tags:"
+        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq -r '.tags[]' | sort -V | tail -10 || true