From 9f5dae5707dc4cb149578f82c79ee528002ef9da Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 20:14:03 -0800
Subject: [PATCH] Switch to Buildah for container builds (no Docker socket
 needed)

- Replace docker-cli with buildah/podman in runner image
- Configure buildah for overlay storage with fuse-overlayfs
- Add registry config for insecure local registry
- Remove Docker socket mount and root security context from deployment
- Update composite action to use buildah bud/push instead of docker

Buildah is daemonless - no Docker socket required, cleaner security model.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .forgejo/actions/build-push-image/action.yaml | 16 +++++------
 argocd/manifests/forgejo-runner/Dockerfile    | 27 ++++++++++++++++---
 .../manifests/forgejo-runner/deployment.yaml  | 15 -----------
 3 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/.forgejo/actions/build-push-image/action.yaml b/.forgejo/actions/build-push-image/action.yaml
index 40b53a1..1d5676b 100644
--- a/.forgejo/actions/build-push-image/action.yaml
+++ b/.forgejo/actions/build-push-image/action.yaml
@@ -1,5 +1,5 @@
 name: 'Build and Push Image'
-description: 'Build a container image and push to zot registry'
+description: 'Build a container image with Buildah and push to registry'
 
 inputs:
   context:
@@ -24,20 +24,20 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Build image
+    - name: Build image with Buildah
       shell: bash
       run: |
-        docker build \
-          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
-          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
-          -f ${{ inputs.context }}/${{ inputs.dockerfile }} \
+        buildah bud \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
+          --file ${{ inputs.context }}/${{ inputs.dockerfile }} \
           ${{ inputs.context }}
 
     - name: Push to registry
       shell: bash
       run: |
-        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
-        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
+        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
+        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
 
     - name: Verify push
       shell: bash
diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index e511440..5bbdef5 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -18,12 +18,31 @@ RUN apk add --no-cache \
     gcc \
     g++ \
     musl-dev \
-    # For container builds
-    ca-certificates \
-    docker-cli
+    # For container builds (daemonless, no Docker socket needed)
+    buildah \
+    podman \
+    fuse-overlayfs \
+    shadow \
+    ca-certificates
+
+# Configure buildah for rootless operation
+RUN mkdir -p /etc/containers && \
+    echo '[storage]' > /etc/containers/storage.conf && \
+    echo 'driver = "overlay"' >> /etc/containers/storage.conf && \
+    echo 'runroot = "/tmp/containers-run"' >> /etc/containers/storage.conf && \
+    echo 'graphroot = "/tmp/containers-storage"' >> /etc/containers/storage.conf && \
+    echo '[storage.options.overlay]' >> /etc/containers/storage.conf && \
+    echo 'mount_program = "/usr/bin/fuse-overlayfs"' >> /etc/containers/storage.conf
+
+# Configure registries (allow insecure for local registry)
+RUN mkdir -p /etc/containers && \
+    echo 'unqualified-search-registries = ["docker.io"]' > /etc/containers/registries.conf && \
+    echo '[[registry]]' >> /etc/containers/registries.conf && \
+    echo 'location = "registry.tail8d86e.ts.net"' >> /etc/containers/registries.conf && \
+    echo 'insecure = true' >> /etc/containers/registries.conf
 
 # Verify tools are available
-RUN node --version && npm --version && docker --version
+RUN node --version && npm --version && buildah --version
 
 # Switch back to non-root user
 USER 1000
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 57f1f05..0848e4a 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -48,8 +48,6 @@ spec:
               mountPath: /data
             - name: runner-config
               mountPath: /config
-            - name: docker-sock
-              mountPath: /var/run/docker.sock
           resources:
             requests:
               memory: "256Mi"
@@ -57,22 +55,9 @@ spec:
             limits:
               memory: "1Gi"
               cpu: "1000m"
-          securityContext:
-            # Run as root with docker group to access Docker socket
-            runAsUser: 0
-            runAsGroup: 0
-      securityContext:
-        # Add docker group (GID 999 in minikube) for socket access
-        fsGroup: 999
-        supplementalGroups:
-          - 999
       volumes:
         - name: runner-data
           emptyDir: {}
         - name: runner-config
           configMap:
             name: forgejo-runner-config
-        - name: docker-sock
-          hostPath:
-            path: /var/run/docker.sock
-            type: Socket