From 8d2e180d5d6c4ac44bf5c5640e05beeea6dfa41a Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 22:13:03 -0800
Subject: [PATCH] Add subuid/subgid for rootless buildah

Buildah needs UID/GID remapping to extract images with files
owned by different users (root, shadow, etc). Configure
subordinate UID/GID ranges for the runner user.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/forgejo-runner/Dockerfile      | 5 ++++-
 argocd/manifests/forgejo-runner/deployment.yaml | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index 64bf571..862f531 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -17,8 +17,11 @@ RUN make clean && make build
 FROM alpine:3.21
 
 # Create runner user with proper passwd entry (required by buildah)
+# Also configure subuid/subgid for rootless container builds
 RUN addgroup -g 1000 runner && \
-    adduser -D -u 1000 -G runner -h /data runner
+    adduser -D -u 1000 -G runner -h /data runner && \
+    echo "runner:100000:65536" >> /etc/subuid && \
+    echo "runner:100000:65536" >> /etc/subgid
 
 # Install runtime dependencies
 RUN apk add --no-cache \
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index ef35053..79c70d3 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -16,7 +16,7 @@ spec:
       serviceAccountName: forgejo-runner
       containers:
         - name: runner
-          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.1
+          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.3
           env:
             # Use internal k8s service via Tailscale operator egress
             - name: FORGEJO_INSTANCE_URL