Add subuid/subgid for rootless buildah

Buildah needs UID/GID remapping to extract images with files
owned by different users (root, shadow, etc). Configure
subordinate UID/GID ranges for the runner user.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/manifests/forgejo-runner/Dockerfile

@@ -17,8 +17,11 @@ RUN make clean && make build
 FROM alpine:3.21
 
 # Create runner user with proper passwd entry (required by buildah)
+# Also configure subuid/subgid for rootless container builds
 RUN addgroup -g 1000 runner && \
-    adduser -D -u 1000 -G runner -h /data runner
+    adduser -D -u 1000 -G runner -h /data runner && \
+    echo "runner:100000:65536" >> /etc/subuid && \
+    echo "runner:100000:65536" >> /etc/subgid
 
 # Install runtime dependencies
 RUN apk add --no-cache \

argocd/manifests/forgejo-runner/deployment.yaml

@@ -16,7 +16,7 @@ spec:
       serviceAccountName: forgejo-runner
       containers:
         - name: runner
-          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.1
+          image: registry.tail8d86e.ts.net/blumeops/forgejo-runner:v1.0.3
           env:
             # Use internal k8s service via Tailscale operator egress
             - name: FORGEJO_INSTANCE_URL