Fix DinD seccomp profile broken by RuntimeDefault rollout

The pod-level RuntimeDefault seccomp profile (07e9c81) overrides the
DinD sidecar's privileged flag in newer Kubernetes versions, blocking
Docker daemon syscalls. Set Unconfined explicitly on the DinD container
while keeping RuntimeDefault on the runner container.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

argocd/manifests/forgejo-runner/deployment.yaml

@@ -74,6 +74,8 @@ spec:
           image: docker:kustomized
           securityContext:
             privileged: true
+            seccompProfile:
+              type: Unconfined
           env:
             - name: DOCKER_TLS_CERTDIR
               value: ""