From 4a3219648d782b51bc90654b750f7749c95d92a9 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 19:42:47 -0800
Subject: [PATCH 01/16] Add container build workflows with composite action

- Create composite action: .forgejo/actions/build-push-image
- Add build-runner.yaml workflow (triggers on Dockerfile changes)
- Add build-devpi.yaml workflow (triggers on Dockerfile/start.sh changes)
- Mount Docker socket in runner deployment for container builds
- Run runner as root to access Docker socket

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .forgejo/actions/build-push-image/action.yaml | 47 +++++++++++++++++++
 .forgejo/workflows/build-devpi.yaml           | 23 +++++++++
 .forgejo/workflows/build-runner.yaml          | 23 +++++++++
 .../manifests/forgejo-runner/deployment.yaml  |  9 ++++
 4 files changed, 102 insertions(+)
 create mode 100644 .forgejo/actions/build-push-image/action.yaml
 create mode 100644 .forgejo/workflows/build-devpi.yaml
 create mode 100644 .forgejo/workflows/build-runner.yaml

diff --git a/.forgejo/actions/build-push-image/action.yaml b/.forgejo/actions/build-push-image/action.yaml
new file mode 100644
index 0000000..40b53a1
--- /dev/null
+++ b/.forgejo/actions/build-push-image/action.yaml
@@ -0,0 +1,47 @@
+name: 'Build and Push Image'
+description: 'Build a container image and push to zot registry'
+
+inputs:
+  context:
+    description: 'Build context path'
+    required: true
+  dockerfile:
+    description: 'Dockerfile path (relative to context)'
+    required: false
+    default: 'Dockerfile'
+  image_name:
+    description: 'Image name (without registry, e.g. blumeops/devpi)'
+    required: true
+  tag:
+    description: 'Image tag'
+    required: false
+    default: 'latest'
+  registry:
+    description: 'Registry URL'
+    required: false
+    default: 'registry.tail8d86e.ts.net'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Build image
+      shell: bash
+      run: |
+        docker build \
+          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
+          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
+          -f ${{ inputs.context }}/${{ inputs.dockerfile }} \
+          ${{ inputs.context }}
+
+    - name: Push to registry
+      shell: bash
+      run: |
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
+
+    - name: Verify push
+      shell: bash
+      run: |
+        echo "✅ Pushed: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}"
+        echo "✅ Pushed: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
+        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq .
diff --git a/.forgejo/workflows/build-devpi.yaml b/.forgejo/workflows/build-devpi.yaml
new file mode 100644
index 0000000..9937bc9
--- /dev/null
+++ b/.forgejo/workflows/build-devpi.yaml
@@ -0,0 +1,23 @@
+name: Build devpi Image
+
+on:
+  push:
+    paths:
+      - 'argocd/manifests/devpi/Dockerfile'
+      - 'argocd/manifests/devpi/start.sh'
+      - '.forgejo/workflows/build-devpi.yaml'
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build and push
+        uses: ./.forgejo/actions/build-push-image
+        with:
+          context: argocd/manifests/devpi
+          image_name: blumeops/devpi
diff --git a/.forgejo/workflows/build-runner.yaml b/.forgejo/workflows/build-runner.yaml
new file mode 100644
index 0000000..110f43d
--- /dev/null
+++ b/.forgejo/workflows/build-runner.yaml
@@ -0,0 +1,23 @@
+name: Build Runner Image
+
+on:
+  push:
+    paths:
+      - 'argocd/manifests/forgejo-runner/Dockerfile'
+      - '.forgejo/actions/build-push-image/**'
+      - '.forgejo/workflows/build-runner.yaml'
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build and push
+        uses: ./.forgejo/actions/build-push-image
+        with:
+          context: argocd/manifests/forgejo-runner
+          image_name: blumeops/forgejo-runner
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 0848e4a..dc535e2 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -48,6 +48,8 @@ spec:
               mountPath: /data
             - name: runner-config
               mountPath: /config
+            - name: docker-sock
+              mountPath: /var/run/docker.sock
           resources:
             requests:
               memory: "256Mi"
@@ -55,9 +57,16 @@ spec:
             limits:
               memory: "1Gi"
               cpu: "1000m"
+          securityContext:
+            # Run as root to access Docker socket
+            runAsUser: 0
       volumes:
         - name: runner-data
           emptyDir: {}
         - name: runner-config
           configMap:
             name: forgejo-runner-config
+        - name: docker-sock
+          hostPath:
+            path: /var/run/docker.sock
+            type: Socket

From 4c249ff116358a4c2043aeb886db68bb8176f7d1 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 19:44:43 -0800
Subject: [PATCH 02/16] Add docker group (GID 999) to runner security context

---
 argocd/manifests/forgejo-runner/deployment.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index dc535e2..57f1f05 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -58,8 +58,14 @@ spec:
               memory: "1Gi"
               cpu: "1000m"
           securityContext:
-            # Run as root to access Docker socket
+            # Run as root with docker group to access Docker socket
             runAsUser: 0
+            runAsGroup: 0
+      securityContext:
+        # Add docker group (GID 999 in minikube) for socket access
+        fsGroup: 999
+        supplementalGroups:
+          - 999
       volumes:
         - name: runner-data
           emptyDir: {}

From 9f5dae5707dc4cb149578f82c79ee528002ef9da Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 20:14:03 -0800
Subject: [PATCH 03/16] Switch to Buildah for container builds (no Docker
 socket needed)

- Replace docker-cli with buildah/podman in runner image
- Configure buildah for overlay storage with fuse-overlayfs
- Add registry config for insecure local registry
- Remove Docker socket mount and root security context from deployment
- Update composite action to use buildah bud/push instead of docker

Buildah is daemonless - no Docker socket required, cleaner security model.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .forgejo/actions/build-push-image/action.yaml | 16 +++++------
 argocd/manifests/forgejo-runner/Dockerfile    | 27 ++++++++++++++++---
 .../manifests/forgejo-runner/deployment.yaml  | 15 -----------
 3 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/.forgejo/actions/build-push-image/action.yaml b/.forgejo/actions/build-push-image/action.yaml
index 40b53a1..1d5676b 100644
--- a/.forgejo/actions/build-push-image/action.yaml
+++ b/.forgejo/actions/build-push-image/action.yaml
@@ -1,5 +1,5 @@
 name: 'Build and Push Image'
-description: 'Build a container image and push to zot registry'
+description: 'Build a container image with Buildah and push to registry'
 
 inputs:
   context:
@@ -24,20 +24,20 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Build image
+    - name: Build image with Buildah
       shell: bash
       run: |
-        docker build \
-          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
-          -t ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
-          -f ${{ inputs.context }}/${{ inputs.dockerfile }} \
+        buildah bud \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
+          --file ${{ inputs.context }}/${{ inputs.dockerfile }} \
           ${{ inputs.context }}
 
     - name: Push to registry
       shell: bash
       run: |
-        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
-        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
+        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
+        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
 
     - name: Verify push
       shell: bash
diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index e511440..5bbdef5 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -18,12 +18,31 @@ RUN apk add --no-cache \
     gcc \
     g++ \
     musl-dev \
-    # For container builds
-    ca-certificates \
-    docker-cli
+    # For container builds (daemonless, no Docker socket needed)
+    buildah \
+    podman \
+    fuse-overlayfs \
+    shadow \
+    ca-certificates
+
+# Configure buildah for rootless operation
+RUN mkdir -p /etc/containers && \
+    echo '[storage]' > /etc/containers/storage.conf && \
+    echo 'driver = "overlay"' >> /etc/containers/storage.conf && \
+    echo 'runroot = "/tmp/containers-run"' >> /etc/containers/storage.conf && \
+    echo 'graphroot = "/tmp/containers-storage"' >> /etc/containers/storage.conf && \
+    echo '[storage.options.overlay]' >> /etc/containers/storage.conf && \
+    echo 'mount_program = "/usr/bin/fuse-overlayfs"' >> /etc/containers/storage.conf
+
+# Configure registries (allow insecure for local registry)
+RUN mkdir -p /etc/containers && \
+    echo 'unqualified-search-registries = ["docker.io"]' > /etc/containers/registries.conf && \
+    echo '[[registry]]' >> /etc/containers/registries.conf && \
+    echo 'location = "registry.tail8d86e.ts.net"' >> /etc/containers/registries.conf && \
+    echo 'insecure = true' >> /etc/containers/registries.conf
 
 # Verify tools are available
-RUN node --version && npm --version && docker --version
+RUN node --version && npm --version && buildah --version
 
 # Switch back to non-root user
 USER 1000
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 57f1f05..0848e4a 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -48,8 +48,6 @@ spec:
               mountPath: /data
             - name: runner-config
               mountPath: /config
-            - name: docker-sock
-              mountPath: /var/run/docker.sock
           resources:
             requests:
               memory: "256Mi"
@@ -57,22 +55,9 @@ spec:
             limits:
               memory: "1Gi"
               cpu: "1000m"
-          securityContext:
-            # Run as root with docker group to access Docker socket
-            runAsUser: 0
-            runAsGroup: 0
-      securityContext:
-        # Add docker group (GID 999 in minikube) for socket access
-        fsGroup: 999
-        supplementalGroups:
-          - 999
       volumes:
         - name: runner-data
           emptyDir: {}
         - name: runner-config
           configMap:
             name: forgejo-runner-config
-        - name: docker-sock
-          hostPath:
-            path: /var/run/docker.sock
-            type: Socket

From c2be742094b69cc5dde92ff407ce95dcf5babd18 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 21:03:53 -0800
Subject: [PATCH 04/16] Add imagePullPolicy: Always to ensure fresh image pulls

---
 argocd/manifests/forgejo-runner/deployment.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 0848e4a..427d414 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -17,6 +17,7 @@ spec:
       containers:
         - name: runner
           image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:latest
+          imagePullPolicy: Always
           env:
             # Use internal k8s service via Tailscale operator egress
             - name: FORGEJO_INSTANCE_URL

From 6d8e6ea4c0eadadc88c9ed1b60a3382d11ee6168 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 21:05:40 -0800
Subject: [PATCH 05/16] Update test workflow to verify buildah/podman instead
 of docker

---
 .forgejo/workflows/test.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml
index 134992b..f336ac9 100644
--- a/.forgejo/workflows/test.yaml
+++ b/.forgejo/workflows/test.yaml
@@ -26,8 +26,9 @@ jobs:
           make --version | head -1
           gcc --version | head -1
           echo ""
-          echo "=== Docker ==="
-          docker --version
+          echo "=== Container tools (Buildah) ==="
+          buildah --version
+          podman --version
           echo ""
           echo "=== Other tools ==="
           curl --version | head -1

From a3a61146a3ffaefdcf02f15c689486eff04cc0bf Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 21:14:02 -0800
Subject: [PATCH 06/16] Fix SIGPIPE in test workflow by adding || true to piped
 commands

---
 .forgejo/workflows/test.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml
index f336ac9..1db41ee 100644
--- a/.forgejo/workflows/test.yaml
+++ b/.forgejo/workflows/test.yaml
@@ -23,15 +23,15 @@ jobs:
           git --version
           echo ""
           echo "=== Build tools ==="
-          make --version | head -1
-          gcc --version | head -1
+          make --version 2>&1 | head -1 || true
+          gcc --version 2>&1 | head -1 || true
           echo ""
           echo "=== Container tools (Buildah) ==="
           buildah --version
           podman --version
           echo ""
           echo "=== Other tools ==="
-          curl --version | head -1
+          curl --version 2>&1 | head -1 || true
           jq --version
 
       - name: Show repo info

From b2967817d618c42bfe66054a1ab2f29588ea7bc0 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 21:15:49 -0800
Subject: [PATCH 07/16] Add comment to test buildah workflow

---
 argocd/manifests/forgejo-runner/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index 5bbdef5..7316438 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -46,3 +46,4 @@ RUN node --version && npm --version && buildah --version
 
 # Switch back to non-root user
 USER 1000
+# Built with Buildah

From 3702e7eec24b55d1d68b33d79db8ac19090b5a7a Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 21:34:33 -0800
Subject: [PATCH 08/16] Add tag-based container release workflow

- Workflows trigger on git tags (e.g. runner-v1.0.0, devpi-v1.0.0)
- Composite action takes explicit version, tags image with version + SHA
- Add mise-tasks/container-list to enumerate containers and recent tags
- Add mise-tasks/container-release to create release tags
- Update CLAUDE.md with container release commands
- TODO: investigate zot tag immutability

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .forgejo/actions/build-push-image/action.yaml | 29 ++++---
 .forgejo/workflows/build-devpi.yaml           | 26 +++++--
 .forgejo/workflows/build-runner.yaml          | 26 +++++--
 CLAUDE.md                                     |  7 ++
 mise-tasks/container-list                     | 53 +++++++++++++
 mise-tasks/container-release                  | 75 +++++++++++++++++++
 6 files changed, 193 insertions(+), 23 deletions(-)
 create mode 100755 mise-tasks/container-list
 create mode 100755 mise-tasks/container-release

diff --git a/.forgejo/actions/build-push-image/action.yaml b/.forgejo/actions/build-push-image/action.yaml
index 1d5676b..b278e02 100644
--- a/.forgejo/actions/build-push-image/action.yaml
+++ b/.forgejo/actions/build-push-image/action.yaml
@@ -1,5 +1,8 @@
 name: 'Build and Push Image'
-description: 'Build a container image with Buildah and push to registry'
+description: 'Build a container image with Buildah and push to zot registry'
+
+# TODO: Investigate zot tag immutability to prevent overwriting released versions
+# See: https://zotregistry.dev/v2.1.1/articles/immutable-tags/
 
 inputs:
   context:
@@ -12,10 +15,9 @@ inputs:
   image_name:
     description: 'Image name (without registry, e.g. blumeops/devpi)'
     required: true
-  tag:
-    description: 'Image tag'
-    required: false
-    default: 'latest'
+  version:
+    description: 'Version tag (e.g. v1.0.0)'
+    required: true
   registry:
     description: 'Registry URL'
     required: false
@@ -27,8 +29,9 @@ runs:
     - name: Build image with Buildah
       shell: bash
       run: |
+        echo "Building ${{ inputs.image_name }}:${{ inputs.version }}"
         buildah bud \
-          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }} \
+          --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }} \
           --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
           --file ${{ inputs.context }}/${{ inputs.dockerfile }} \
           ${{ inputs.context }}
@@ -36,12 +39,16 @@ runs:
     - name: Push to registry
       shell: bash
       run: |
-        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}
+        echo "Pushing ${{ inputs.image_name }}:${{ inputs.version }}"
+        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}
         buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
 
-    - name: Verify push
+    - name: Summary
       shell: bash
       run: |
-        echo "✅ Pushed: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.tag }}"
-        echo "✅ Pushed: ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
-        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq .
+        echo "✅ Built and pushed:"
+        echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}"
+        echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
+        echo ""
+        echo "Registry tags:"
+        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq -r '.tags[]' | sort -V | tail -10
diff --git a/.forgejo/workflows/build-devpi.yaml b/.forgejo/workflows/build-devpi.yaml
index 9937bc9..89318b6 100644
--- a/.forgejo/workflows/build-devpi.yaml
+++ b/.forgejo/workflows/build-devpi.yaml
@@ -1,13 +1,14 @@
-name: Build devpi Image
+name: Build devpi
 
 on:
   push:
-    paths:
-      - 'argocd/manifests/devpi/Dockerfile'
-      - 'argocd/manifests/devpi/start.sh'
-      - '.forgejo/workflows/build-devpi.yaml'
-    branches: [main]
+    tags:
+      - 'devpi-v*'
   workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version (e.g. v1.0.0)'
+        required: true
 
 jobs:
   build:
@@ -16,8 +17,21 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Extract version from tag
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
+            # Extract version from tag: devpi-v1.0.0 -> v1.0.0
+            VERSION="${GITHUB_REF_NAME#devpi-}"
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Building version: $VERSION"
+
       - name: Build and push
         uses: ./.forgejo/actions/build-push-image
         with:
           context: argocd/manifests/devpi
           image_name: blumeops/devpi
+          version: ${{ steps.version.outputs.version }}
diff --git a/.forgejo/workflows/build-runner.yaml b/.forgejo/workflows/build-runner.yaml
index 110f43d..54162b6 100644
--- a/.forgejo/workflows/build-runner.yaml
+++ b/.forgejo/workflows/build-runner.yaml
@@ -1,13 +1,14 @@
-name: Build Runner Image
+name: Build forgejo-runner
 
 on:
   push:
-    paths:
-      - 'argocd/manifests/forgejo-runner/Dockerfile'
-      - '.forgejo/actions/build-push-image/**'
-      - '.forgejo/workflows/build-runner.yaml'
-    branches: [main]
+    tags:
+      - 'runner-v*'
   workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version (e.g. v1.0.0)'
+        required: true
 
 jobs:
   build:
@@ -16,8 +17,21 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Extract version from tag
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
+            # Extract version from tag: runner-v1.0.0 -> v1.0.0
+            VERSION="${GITHUB_REF_NAME#runner-}"
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Building version: $VERSION"
+
       - name: Build and push
         uses: ./.forgejo/actions/build-push-image
         with:
           context: argocd/manifests/forgejo-runner
           image_name: blumeops/forgejo-runner
+          version: ${{ steps.version.outputs.version }}
diff --git a/CLAUDE.md b/CLAUDE.md
index 82ed044..1399f9a 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -134,6 +134,13 @@ When migrating a service from indri to k8s, the Tailscale hostname must be freed
 
 Use `ssh indri 'tailscale serve status --json'` to check current serve entries (the non-JSON output may be empty even when entries exist).
 
+## Container Image Releases
+
+```fish
+mise run container-list                       # Show containers and recent tags
+mise run container-release runner v1.0.0      # Tag and trigger build workflow
+```
+
 ## Third-Party Projects
 
 When a task requires cloning or using a third-party git repository (e.g., for building from source), **ask the user to mirror it on forge first**, then clone from the mirror:
diff --git a/mise-tasks/container-list b/mise-tasks/container-list
new file mode 100755
index 0000000..21a2ad9
--- /dev/null
+++ b/mise-tasks/container-list
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+#MISE description="List available containers and their recent tags"
+
+set -euo pipefail
+
+REGISTRY="registry.tail8d86e.ts.net"
+WORKFLOW_DIR=".forgejo/workflows"
+
+echo "Container Images"
+echo "================"
+echo ""
+
+# Find all build-*.yaml workflows
+for workflow in "$WORKFLOW_DIR"/build-*.yaml; do
+    [[ -f "$workflow" ]] || continue
+
+    # Extract container name from filename: build-runner.yaml -> runner
+    filename=$(basename "$workflow")
+    container="${filename#build-}"
+    container="${container%.yaml}"
+
+    # Skip if not a container build workflow (check for image_name)
+    if ! grep -q "image_name:" "$workflow" 2>/dev/null; then
+        continue
+    fi
+
+    # Extract image name from workflow
+    image=$(grep -E "^\s+image_name:" "$workflow" | head -1 | awk '{print $2}')
+
+    echo "📦 $container"
+    echo "   Image: $REGISTRY/$image"
+    echo "   Workflow: $workflow"
+
+    # Query zot for recent tags
+    tags=$(curl -sf "https://$REGISTRY/v2/$image/tags/list" 2>/dev/null | jq -r '.tags // [] | .[]' | grep -E '^v[0-9]' | sort -V | tail -4 || true)
+
+    if [[ -n "$tags" ]]; then
+        echo "   Recent tags:"
+        echo "$tags" | while read -r tag; do
+            echo "     - $tag"
+        done
+    else
+        echo "   Recent tags: (none)"
+    fi
+    echo ""
+done
+
+echo "---"
+echo "To release a new version:"
+echo "  mise run container-release <container> <version>"
+echo ""
+echo "Example:"
+echo "  mise run container-release runner v1.0.0"
diff --git a/mise-tasks/container-release b/mise-tasks/container-release
new file mode 100755
index 0000000..9e8802b
--- /dev/null
+++ b/mise-tasks/container-release
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+#MISE description="Release a container image by creating a git tag"
+
+set -euo pipefail
+
+CONTAINER="${1:-}"
+VERSION="${2:-}"
+
+if [[ -z "$CONTAINER" || -z "$VERSION" ]]; then
+    echo "Usage: mise run container-release <container> <version>"
+    echo ""
+    echo "Run 'mise run container-list' to see available containers and recent tags."
+    exit 1
+fi
+
+# Validate version format
+if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    echo "Error: Version must be in format vX.Y.Z (e.g. v1.0.0)"
+    exit 1
+fi
+
+TAG="${CONTAINER}-${VERSION}"
+
+echo "Creating release tag: $TAG"
+echo ""
+
+# Check if tag already exists
+if git rev-parse "$TAG" >/dev/null 2>&1; then
+    echo "Error: Tag '$TAG' already exists"
+    echo "Existing tags for $CONTAINER:"
+    git tag -l "${CONTAINER}-v*" | sort -V | tail -5
+    exit 1
+fi
+
+# Find the workflow file to determine image name
+WORKFLOW_FILE=".forgejo/workflows/build-${CONTAINER}.yaml"
+if [[ ! -f "$WORKFLOW_FILE" ]]; then
+    echo "Error: No workflow found for container '$CONTAINER'"
+    echo ""
+    echo "Run 'mise run container-list' to see available containers."
+    exit 1
+fi
+
+# Extract image name from workflow
+IMAGE=$(grep -E "^\s+image_name:" "$WORKFLOW_FILE" | head -1 | awk '{print $2}')
+if [[ -z "$IMAGE" ]]; then
+    echo "Error: Could not determine image name from $WORKFLOW_FILE"
+    exit 1
+fi
+
+echo "Container: $CONTAINER"
+echo "Workflow: $WORKFLOW_FILE"
+echo "Image: registry.tail8d86e.ts.net/$IMAGE:$VERSION"
+echo ""
+
+# Confirm
+read -p "Create tag and push? [y/N] " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+    echo "Aborted."
+    exit 0
+fi
+
+# Create and push tag
+git tag "$TAG"
+git push origin "$TAG"
+
+echo ""
+echo "✅ Tag '$TAG' created and pushed"
+echo ""
+echo "The workflow will now build and push:"
+echo "  registry.tail8d86e.ts.net/$IMAGE:$VERSION"
+echo ""
+echo "Monitor the build at:"
+echo "  https://forge.tail8d86e.ts.net/eblume/blumeops/actions"

From 0c1a3bf0cfd224b30a540feb95fb4b3b08a3ea98 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 21:41:01 -0800
Subject: [PATCH 09/16] Remove test comment from Dockerfile

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/forgejo-runner/Dockerfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index 7316438..5bbdef5 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -46,4 +46,3 @@ RUN node --version && npm --version && buildah --version
 
 # Switch back to non-root user
 USER 1000
-# Built with Buildah

From 4e0767b4d9d7689e6c425cbcb3eca47d6bec42b2 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 22:00:19 -0800
Subject: [PATCH 10/16] Build forgejo-runner from source with proper user setup

- Multi-stage build from mirrored forgejo-runner source
- Create proper runner user with passwd entry (fixes buildah)
- Use named user instead of numeric UID

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/forgejo-runner/Dockerfile | 58 ++++++++++++++--------
 1 file changed, 37 insertions(+), 21 deletions(-)

diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index 5bbdef5..64bf571 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -1,19 +1,37 @@
-FROM code.forgejo.org/forgejo/runner:3.5.1
+# Build forgejo-runner from source
+# Source: https://forge.tail8d86e.ts.net/eblume/forgejo-runner (mirror of code.forgejo.org/forgejo/runner)
 
-# Switch to root to install packages
-USER root
+FROM golang:1.24-alpine AS builder
 
-# The base image is Alpine Linux
-# Install tools needed for GitHub Actions and builds
+ARG FORGEJO_RUNNER_VERSION=v3.5.1
+
+RUN apk add --no-cache git make build-base
+
+WORKDIR /src
+RUN git clone --depth 1 --branch ${FORGEJO_RUNNER_VERSION} \
+    https://forge.tail8d86e.ts.net/eblume/forgejo-runner.git .
+
+RUN make clean && make build
+
+# Runtime image
+FROM alpine:3.21
+
+# Create runner user with proper passwd entry (required by buildah)
+RUN addgroup -g 1000 runner && \
+    adduser -D -u 1000 -G runner -h /data runner
+
+# Install runtime dependencies
 RUN apk add --no-cache \
     # Required for actions/checkout and other Node-based actions
     nodejs \
     npm \
-    # Build essentials
+    # Core tools
     git \
+    bash \
     curl \
     wget \
     jq \
+    # Build essentials
     make \
     gcc \
     g++ \
@@ -22,27 +40,25 @@ RUN apk add --no-cache \
     buildah \
     podman \
     fuse-overlayfs \
-    shadow \
     ca-certificates
 
+# Copy runner binary from builder
+COPY --from=builder /src/forgejo-runner /bin/forgejo-runner
+
 # Configure buildah for rootless operation
 RUN mkdir -p /etc/containers && \
-    echo '[storage]' > /etc/containers/storage.conf && \
-    echo 'driver = "overlay"' >> /etc/containers/storage.conf && \
-    echo 'runroot = "/tmp/containers-run"' >> /etc/containers/storage.conf && \
-    echo 'graphroot = "/tmp/containers-storage"' >> /etc/containers/storage.conf && \
-    echo '[storage.options.overlay]' >> /etc/containers/storage.conf && \
-    echo 'mount_program = "/usr/bin/fuse-overlayfs"' >> /etc/containers/storage.conf
+    printf '[storage]\ndriver = "overlay"\nrunroot = "/tmp/containers-run"\ngraphroot = "/tmp/containers-storage"\n[storage.options.overlay]\nmount_program = "/usr/bin/fuse-overlayfs"\n' \
+    > /etc/containers/storage.conf
 
 # Configure registries (allow insecure for local registry)
-RUN mkdir -p /etc/containers && \
-    echo 'unqualified-search-registries = ["docker.io"]' > /etc/containers/registries.conf && \
-    echo '[[registry]]' >> /etc/containers/registries.conf && \
-    echo 'location = "registry.tail8d86e.ts.net"' >> /etc/containers/registries.conf && \
-    echo 'insecure = true' >> /etc/containers/registries.conf
+RUN printf 'unqualified-search-registries = ["docker.io"]\n[[registry]]\nlocation = "registry.tail8d86e.ts.net"\ninsecure = true\n' \
+    > /etc/containers/registries.conf
 
 # Verify tools are available
-RUN node --version && npm --version && buildah --version
+RUN node --version && npm --version && buildah --version && /bin/forgejo-runner --version
 
-# Switch back to non-root user
-USER 1000
+ENV HOME=/data
+WORKDIR /data
+USER runner
+
+CMD ["/bin/forgejo-runner"]

From a979ddaf0cc1c5c9d6fecf9d6a0b39377f174704 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 22:07:06 -0800
Subject: [PATCH 11/16] Use versioned runner image v1.0.1

- Remove imagePullPolicy: Always (rely on immutable tags)
- Use explicit version tag instead of :latest

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/forgejo-runner/deployment.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index 427d414..ef35053 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -16,8 +16,7 @@ spec:
       serviceAccountName: forgejo-runner
       containers:
         - name: runner
-          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:latest
-          imagePullPolicy: Always
+          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.1
           env:
             # Use internal k8s service via Tailscale operator egress
             - name: FORGEJO_INSTANCE_URL

From 8d2e180d5d6c4ac44bf5c5640e05beeea6dfa41a Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 22:13:03 -0800
Subject: [PATCH 12/16] Add subuid/subgid for rootless buildah

Buildah needs UID/GID remapping to extract images with files
owned by different users (root, shadow, etc). Configure
subordinate UID/GID ranges for the runner user.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/forgejo-runner/Dockerfile      | 5 ++++-
 argocd/manifests/forgejo-runner/deployment.yaml | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/argocd/manifests/forgejo-runner/Dockerfile b/argocd/manifests/forgejo-runner/Dockerfile
index 64bf571..862f531 100644
--- a/argocd/manifests/forgejo-runner/Dockerfile
+++ b/argocd/manifests/forgejo-runner/Dockerfile
@@ -17,8 +17,11 @@ RUN make clean && make build
 FROM alpine:3.21
 
 # Create runner user with proper passwd entry (required by buildah)
+# Also configure subuid/subgid for rootless container builds
 RUN addgroup -g 1000 runner && \
-    adduser -D -u 1000 -G runner -h /data runner
+    adduser -D -u 1000 -G runner -h /data runner && \
+    echo "runner:100000:65536" >> /etc/subuid && \
+    echo "runner:100000:65536" >> /etc/subgid
 
 # Install runtime dependencies
 RUN apk add --no-cache \
diff --git a/argocd/manifests/forgejo-runner/deployment.yaml b/argocd/manifests/forgejo-runner/deployment.yaml
index ef35053..79c70d3 100644
--- a/argocd/manifests/forgejo-runner/deployment.yaml
+++ b/argocd/manifests/forgejo-runner/deployment.yaml
@@ -16,7 +16,7 @@ spec:
       serviceAccountName: forgejo-runner
       containers:
         - name: runner
-          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.1
+          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.3
           env:
             # Use internal k8s service via Tailscale operator egress
             - name: FORGEJO_INSTANCE_URL

From 676c1782d1e137f779399af8970d4734e9d601c7 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 22:28:44 -0800
Subject: [PATCH 13/16] Add forgejo_runner Ansible role for indri

Run forgejo-runner directly on indri using Docker container mode
instead of trying to build containers inside k8s pods. This avoids
nested containerization complexity.

Features:
- Build from source using mise + Go
- Docker container mode for job isolation
- Can build containers via Docker socket
- Labels: docker-builder (distinct from k8s runner)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/playbooks/indri.yml                   | 19 +++++
 .../roles/forgejo_runner/defaults/main.yml    | 19 +++++
 .../roles/forgejo_runner/handlers/main.yml    | 11 +++
 ansible/roles/forgejo_runner/tasks/main.yml   | 83 +++++++++++++++++++
 .../forgejo_runner/templates/config.yaml.j2   | 15 ++++
 .../templates/forgejo-runner.plist.j2         | 26 ++++++
 6 files changed, 173 insertions(+)
 create mode 100644 ansible/roles/forgejo_runner/defaults/main.yml
 create mode 100644 ansible/roles/forgejo_runner/handlers/main.yml
 create mode 100644 ansible/roles/forgejo_runner/tasks/main.yml
 create mode 100644 ansible/roles/forgejo_runner/templates/config.yaml.j2
 create mode 100644 ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2

diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml
index 6e962f1..4366eb0 100644
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@@ -61,6 +61,23 @@
       no_log: true
       tags: [forgejo]
 
+    # Forgejo runner token (for indri-based runner)
+    - name: Fetch forgejo runner token
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields runner-token --reveal
+      delegate_to: localhost
+      register: _forgejo_runner_token
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [forgejo_runner]
+
+    - name: Set forgejo runner token fact
+      ansible.builtin.set_fact:
+        forgejo_runner_token: "{{ _forgejo_runner_token.stdout }}"
+      no_log: true
+      tags: [forgejo_runner]
+
   roles:
     - role: alloy
       tags: alloy
@@ -82,3 +99,5 @@
       tags: plex_metrics
     - role: tailscale_serve
       tags: tailscale-serve
+    - role: forgejo_runner
+      tags: forgejo_runner
diff --git a/ansible/roles/forgejo_runner/defaults/main.yml b/ansible/roles/forgejo_runner/defaults/main.yml
new file mode 100644
index 0000000..643f3a2
--- /dev/null
+++ b/ansible/roles/forgejo_runner/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+forgejo_runner_repo_dir: /Users/erichblume/code/3rd/forgejo-runner
+forgejo_runner_binary: "{{ forgejo_runner_repo_dir }}/forgejo-runner"
+forgejo_runner_data_dir: /Users/erichblume/.forgejo-runner
+forgejo_runner_config_dir: /Users/erichblume/.config/forgejo-runner
+forgejo_runner_log_dir: /Users/erichblume/Library/Logs
+
+# Runner registration
+forgejo_runner_instance_url: "http://localhost:3001"
+forgejo_runner_name: "indri-docker-runner"
+forgejo_runner_labels: "docker-builder:docker"
+
+# Runner config
+forgejo_runner_capacity: 2
+forgejo_runner_timeout: 3h
+
+# Docker container settings for jobs
+forgejo_runner_docker_network: bridge
+forgejo_runner_privileged: true  # Needed for container builds
diff --git a/ansible/roles/forgejo_runner/handlers/main.yml b/ansible/roles/forgejo_runner/handlers/main.yml
new file mode 100644
index 0000000..9cad7d1
--- /dev/null
+++ b/ansible/roles/forgejo_runner/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Restart forgejo-runner
+  block:
+    - name: Unload forgejo-runner LaunchAgent
+      ansible.builtin.command: launchctl unload ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+      failed_when: false
+      changed_when: true
+
+    - name: Load forgejo-runner LaunchAgent
+      ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+      changed_when: true
diff --git a/ansible/roles/forgejo_runner/tasks/main.yml b/ansible/roles/forgejo_runner/tasks/main.yml
new file mode 100644
index 0000000..d7106c1
--- /dev/null
+++ b/ansible/roles/forgejo_runner/tasks/main.yml
@@ -0,0 +1,83 @@
+---
+# Forgejo Runner on indri
+#
+# Uses Docker container mode for job isolation.
+# Can build containers using Docker (via socket).
+#
+# ONE-TIME SETUP (before running ansible):
+#
+# 1. Clone forgejo-runner from forge mirror:
+#    ssh indri 'git clone https://forge.tail8d86e.ts.net/eblume/forgejo-runner.git ~/code/3rd/forgejo-runner'
+#
+# 2. Set up Go via mise:
+#    ssh indri 'cd ~/code/3rd/forgejo-runner && mise use go@1.24'
+#
+# 3. Build:
+#    ssh indri 'cd ~/code/3rd/forgejo-runner && mise x -- make build'
+#
+# 4. Run ansible to deploy config and LaunchAgent
+
+- name: Verify forgejo-runner binary exists
+  ansible.builtin.stat:
+    path: "{{ forgejo_runner_binary }}"
+  register: forgejo_runner_binary_stat
+
+- name: Fail if forgejo-runner binary not found
+  ansible.builtin.fail:
+    msg: |
+      Forgejo-runner binary not found at {{ forgejo_runner_binary }}.
+      Please build from source first:
+        ssh indri 'cd ~/code/3rd/forgejo-runner && mise x -- make build'
+  when: not forgejo_runner_binary_stat.stat.exists
+
+- name: Ensure forgejo-runner directories exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ forgejo_runner_data_dir }}"
+    - "{{ forgejo_runner_config_dir }}"
+
+- name: Deploy forgejo-runner config
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: "{{ forgejo_runner_config_dir }}/config.yaml"
+    mode: '0644'
+  notify: Restart forgejo-runner
+
+- name: Check if runner is registered
+  ansible.builtin.stat:
+    path: "{{ forgejo_runner_data_dir }}/.runner"
+  register: forgejo_runner_registered
+
+- name: Register runner with Forgejo
+  ansible.builtin.command:
+    cmd: >
+      {{ forgejo_runner_binary }} register
+      --instance "{{ forgejo_runner_instance_url }}"
+      --token "{{ forgejo_runner_token }}"
+      --name "{{ forgejo_runner_name }}"
+      --labels "{{ forgejo_runner_labels }}"
+      --no-interactive
+    chdir: "{{ forgejo_runner_data_dir }}"
+  when: not forgejo_runner_registered.stat.exists
+  changed_when: true
+
+- name: Deploy forgejo-runner LaunchAgent plist
+  ansible.builtin.template:
+    src: forgejo-runner.plist.j2
+    dest: ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+    mode: '0644'
+  notify: Restart forgejo-runner
+
+- name: Check if forgejo-runner LaunchAgent is loaded
+  ansible.builtin.command: launchctl list mcquack.eblume.forgejo-runner
+  register: forgejo_runner_launchctl_check
+  changed_when: false
+  failed_when: false
+
+- name: Load forgejo-runner LaunchAgent if not loaded
+  ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+  when: forgejo_runner_launchctl_check.rc != 0
+  changed_when: true
diff --git a/ansible/roles/forgejo_runner/templates/config.yaml.j2 b/ansible/roles/forgejo_runner/templates/config.yaml.j2
new file mode 100644
index 0000000..7de5cc0
--- /dev/null
+++ b/ansible/roles/forgejo_runner/templates/config.yaml.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+log:
+  level: info
+
+runner:
+  file: {{ forgejo_runner_data_dir }}/.runner
+  capacity: {{ forgejo_runner_capacity }}
+  timeout: {{ forgejo_runner_timeout }}
+
+container:
+  network: "{{ forgejo_runner_docker_network }}"
+  privileged: {{ forgejo_runner_privileged | lower }}
+  # Mount Docker socket so jobs can build containers
+  valid_volumes:
+    - /var/run/docker.sock
diff --git a/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2 b/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2
new file mode 100644
index 0000000..4bac25f
--- /dev/null
+++ b/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- {{ ansible_managed }} -->
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>mcquack.eblume.forgejo-runner</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>{{ forgejo_runner_binary }}</string>
+		<string>daemon</string>
+		<string>--config</string>
+		<string>{{ forgejo_runner_config_dir }}/config.yaml</string>
+	</array>
+	<key>WorkingDirectory</key>
+	<string>{{ forgejo_runner_data_dir }}</string>
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<true/>
+	<key>StandardOutPath</key>
+	<string>{{ forgejo_runner_log_dir }}/mcquack.forgejo-runner.out.log</string>
+	<key>StandardErrorPath</key>
+	<string>{{ forgejo_runner_log_dir }}/mcquack.forgejo-runner.err.log</string>
+</dict>
+</plist>

From 7a637d2ebf62b442df43ca1ae9bbc924cba22195 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 23 Jan 2026 22:31:06 -0800
Subject: [PATCH 14/16] Fix 1Password field name for runner token

Use runner_reg field (matching existing k8s secret template)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/playbooks/indri.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml
index 4366eb0..b12e905 100644
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@@ -64,7 +64,7 @@
     # Forgejo runner token (for indri-based runner)
     - name: Fetch forgejo runner token
       ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields runner-token --reveal
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields runner_reg --reveal
       delegate_to: localhost
       register: _forgejo_runner_token
       changed_when: false

From 8b75b696f00725148c82d9b7f16b877597cd03d8 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 24 Jan 2026 08:44:23 -0800
Subject: [PATCH 15/16] Fix forgejo_runner handler (no nested blocks)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/roles/forgejo_runner/handlers/main.yml | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/ansible/roles/forgejo_runner/handlers/main.yml b/ansible/roles/forgejo_runner/handlers/main.yml
index 9cad7d1..a1798f4 100644
--- a/ansible/roles/forgejo_runner/handlers/main.yml
+++ b/ansible/roles/forgejo_runner/handlers/main.yml
@@ -1,11 +1,7 @@
 ---
 - name: Restart forgejo-runner
-  block:
-    - name: Unload forgejo-runner LaunchAgent
-      ansible.builtin.command: launchctl unload ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
-      failed_when: false
-      changed_when: true
-
-    - name: Load forgejo-runner LaunchAgent
-      ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
-      changed_when: true
+  listen: Restart forgejo-runner
+  ansible.builtin.shell: |
+    launchctl unload ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist 2>/dev/null || true
+    launchctl load ~/Library/LaunchAgents/mcquack.eblume.forgejo-runner.plist
+  changed_when: true

From 2c284ed0cf2897736f9c0f636a0b7b247e45d5ea Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 24 Jan 2026 08:49:02 -0800
Subject: [PATCH 16/16] Switch container builds to indri docker-builder runner

- Use Docker instead of buildah in composite action
- Build workflows now run on docker-builder label
- Add actionlint config for custom runner labels
- Avoids nested containerization complexity in k8s

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .forgejo/actions/build-push-image/action.yaml | 14 +++++++-------
 .forgejo/workflows/build-devpi.yaml           |  2 +-
 .forgejo/workflows/build-runner.yaml          |  2 +-
 .github/actionlint.yaml                       |  5 +++++
 .pre-commit-config.yaml                       |  1 +
 5 files changed, 15 insertions(+), 9 deletions(-)
 create mode 100644 .github/actionlint.yaml

diff --git a/.forgejo/actions/build-push-image/action.yaml b/.forgejo/actions/build-push-image/action.yaml
index b278e02..ac6f711 100644
--- a/.forgejo/actions/build-push-image/action.yaml
+++ b/.forgejo/actions/build-push-image/action.yaml
@@ -1,5 +1,5 @@
 name: 'Build and Push Image'
-description: 'Build a container image with Buildah and push to zot registry'
+description: 'Build a container image with Docker and push to zot registry'
 
 # TODO: Investigate zot tag immutability to prevent overwriting released versions
 # See: https://zotregistry.dev/v2.1.1/articles/immutable-tags/
@@ -26,11 +26,11 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Build image with Buildah
+    - name: Build image with Docker
       shell: bash
       run: |
         echo "Building ${{ inputs.image_name }}:${{ inputs.version }}"
-        buildah bud \
+        docker build \
           --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }} \
           --tag ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }} \
           --file ${{ inputs.context }}/${{ inputs.dockerfile }} \
@@ -40,15 +40,15 @@ runs:
       shell: bash
       run: |
         echo "Pushing ${{ inputs.image_name }}:${{ inputs.version }}"
-        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}
-        buildah push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}
+        docker push ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}
 
     - name: Summary
       shell: bash
       run: |
-        echo "✅ Built and pushed:"
+        echo "Built and pushed:"
         echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ inputs.version }}"
         echo "   ${{ inputs.registry }}/${{ inputs.image_name }}:${{ github.sha }}"
         echo ""
         echo "Registry tags:"
-        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq -r '.tags[]' | sort -V | tail -10
+        curl -sf "https://${{ inputs.registry }}/v2/${{ inputs.image_name }}/tags/list" | jq -r '.tags[]' | sort -V | tail -10 || true
diff --git a/.forgejo/workflows/build-devpi.yaml b/.forgejo/workflows/build-devpi.yaml
index 89318b6..5329b77 100644
--- a/.forgejo/workflows/build-devpi.yaml
+++ b/.forgejo/workflows/build-devpi.yaml
@@ -12,7 +12,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: docker-builder
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.forgejo/workflows/build-runner.yaml b/.forgejo/workflows/build-runner.yaml
index 54162b6..44be98f 100644
--- a/.forgejo/workflows/build-runner.yaml
+++ b/.forgejo/workflows/build-runner.yaml
@@ -12,7 +12,7 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: docker-builder
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
new file mode 100644
index 0000000..12f3259
--- /dev/null
+++ b/.github/actionlint.yaml
@@ -0,0 +1,5 @@
+self-hosted-runner:
+  labels:
+    - docker-builder
+    - ubuntu-latest
+    - ubuntu-22.04
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 421de65..d673cc3 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -86,4 +86,5 @@ repos:
     rev: v1.7.10
     hooks:
       - id: actionlint-system
+        args: ['-config-file', '.github/actionlint.yaml']
         files: ^\.forgejo/workflows/