Simplify runner image (Dagger Phase 3) (#162)

## Summary

With Phases 1 and 2 complete, the runner image no longer needs most of its bundled tools. This PR strips it down and adds what was missing.

**Removed** (now inside Dagger containers):
- Node.js 24.x
- Docker CLI + buildx plugin
- skopeo
- gnupg, lsb-release, xz-utils

**Added:**
- `tzdata` — fixes the TZ env var (#159, #160, #161) so `TZ=America/Los_Angeles` actually works
- `flyctl` — was being installed from scratch every release

**Workflow changes:**
- Remove "Ensure Dagger CLI" bootstrap steps from both workflows (Dagger is in the image)
- Remove "Install flyctl" step from build-blumeops (flyctl is in the image)
- Remove job-level `TZ` from build-blumeops (moved to runner configmap `runner.envs`)
- Set `TZ: America/Los_Angeles` in runner configmap so all job containers inherit it

## Deployment

After merge:
1. Build and release the new runner image: `mise run container-release forgejo-runner v2.0.0`
2. Sync the runner: `argocd app sync forgejo-runner`
3. Verify: `kubectl -n forgejo-runner exec deploy/forgejo-runner -c runner -- date` (but the real test is running a docs release and checking the changelog date)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/162

containers/forgejo-runner/Dockerfile

@@ -3,7 +3,8 @@
 # This image is used as the job execution environment for Forgejo Actions.
 # The host runner daemon creates containers from this image to run workflow steps.
 #
-# Includes: Node.js (for GitHub Actions), Docker CLI, git, and common CI tools.
+# Build logic (container images, docs site) runs inside Dagger containers,
+# so this image only needs: git, Dagger CLI, ArgoCD CLI, uv, and basic tools.
 #
 # Usage: Configure runner with label like:
 #   docker:docker://registry.ops.eblu.me/blumeops/forgejo-runner:latest
@@ -18,24 +19,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     git \
     jq \
-    gnupg \
-    lsb-release \
-    xz-utils \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Node.js 24.x LTS (required for actions/checkout@v4 and Quartz builds)
-RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \
-    && apt-get install -y --no-install-recommends nodejs \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Docker CLI (for container builds - daemon accessed via socket mount)
-# and skopeo (for pushing images to zot registry - Docker 27 manifest compat issues)
-RUN install -m 0755 -d /etc/apt/keyrings \
-    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
-    && chmod a+r /etc/apt/keyrings/docker.asc \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends docker-ce-cli docker-buildx-plugin skopeo \
+    tzdata \
     && rm -rf /var/lib/apt/lists/*
 
 # Install uv (Python package runner for towncrier)
@@ -44,7 +28,6 @@ RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
     && mv /root/.local/bin/uvx /usr/local/bin/uvx
 
 # Install argocd CLI (for syncing apps from workflows)
-# Use dpkg --print-architecture as fallback since TARGETARCH may be empty in single-platform builds
 RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
     && curl -fsSL -o /usr/local/bin/argocd \
     "https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-${ARCH}" \
@@ -60,5 +43,10 @@ RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
     && rm /tmp/dagger.tar.gz \
     && dagger version
 
+# Install flyctl (for Fly.io cache purge after docs deploy)
+RUN curl -L https://fly.io/install.sh | sh \
+    && mv /root/.fly/bin/flyctl /usr/local/bin/fly \
+    && rm -rf /root/.fly
+
 # Default to bash
 CMD ["/bin/bash"]