diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index 64bf571..862f531 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -17,8 +17,11 @@ RUN make clean && make build
 FROM alpine:3.21
 
 # Create runner user with proper passwd entry (required by buildah)
+# Also configure subuid/subgid for rootless container builds
 RUN addgroup -g 1000 runner && \
-    adduser -D -u 1000 -G runner -h /data runner
+    adduser -D -u 1000 -G runner -h /data runner && \
+    echo "runner:100000:65536" >> /etc/subuid && \
+    echo "runner:100000:65536" >> /etc/subgid
 
 # Install runtime dependencies
 RUN apk add --no-cache \
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index ef35053..79c70d3 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -16,7 +16,7 @@ spec:
       serviceAccountName: forgejo-runner
       containers:
         - name: runner
-          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.1
+          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.3
           env:
             # Use internal k8s service via Tailscale operator egress
             - name: FORGEJO_INSTANCE_URL