Switch to Buildah for container builds (#51)

## Summary
- Replace Docker with Buildah for container image builds
- No Docker socket required - buildah is daemonless
- Cleaner security model (no privileged containers or socket mounting)
- Remove Docker-related security context from deployment

## Changes
- Update Dockerfile to install buildah/podman instead of docker-cli
- Configure buildah storage with overlay driver and fuse-overlayfs
- Update composite action to use `buildah bud` and `buildah push`
- Add `imagePullPolicy: Always` to ensure fresh image pulls
- Update test workflow to verify buildah/podman

## Testing
- [ ] Runner pod starts successfully
- [ ] Buildah is available in runner
- [ ] Test workflow verifies buildah/podman versions
- [ ] Container build workflow builds and pushes to zot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/51

ansible/playbooks/indri.yml

@@ -61,6 +61,23 @@
       no_log: true
       tags: [forgejo]
 
+    # Forgejo runner token (for indri-based runner)
+    - name: Fetch forgejo runner token
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields runner_reg --reveal
+      delegate_to: localhost
+      register: _forgejo_runner_token
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [forgejo_runner]
+
+    - name: Set forgejo runner token fact
+      ansible.builtin.set_fact:
+        forgejo_runner_token: "{{ _forgejo_runner_token.stdout }}"
+      no_log: true
+      tags: [forgejo_runner]
+
   roles:
     - role: alloy
       tags: alloy
@@ -82,3 +99,5 @@
       tags: plex_metrics
     - role: tailscale_serve
       tags: tailscale-serve
+    - role: forgejo_runner
+      tags: forgejo_runner