From 9e587ddadf7badd9ded2e8eb59b56c6bed4d81ea Mon Sep 17 00:00:00 2001
From: Michal <michal@itaz.eu>
Date: Mon, 9 Mar 2026 03:02:40 +0000
Subject: [PATCH] ci: use buildah chroot isolation (no user namespaces in
 container)

Runner container has no /proc/self/uid_map (no user namespace support).
Chroot isolation doesn't need namespaces, only filesystem access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 11b723c..f8489bd 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -153,7 +153,7 @@ jobs:
 
       - name: Build & push mcpd
         run: |
-          buildah --storage-driver vfs bud -t mcpd:latest -f deploy/Dockerfile.mcpd .
+          buildah --storage-driver vfs --isolation chroot bud -t mcpd:latest -f deploy/Dockerfile.mcpd .
           buildah --storage-driver vfs push --tls-verify=false \
             --creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
             mcpd:latest \
@@ -161,7 +161,7 @@ jobs:
 
       - name: Build & push node-runner
         run: |
-          buildah --storage-driver vfs bud -t node-runner:latest -f deploy/Dockerfile.node-runner .
+          buildah --storage-driver vfs --isolation chroot bud -t node-runner:latest -f deploy/Dockerfile.node-runner .
           buildah --storage-driver vfs push --tls-verify=false \
             --creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
             node-runner:latest \
@@ -169,7 +169,7 @@ jobs:
 
       - name: Build & push python-runner
         run: |
-          buildah --storage-driver vfs bud -t python-runner:latest -f deploy/Dockerfile.python-runner .
+          buildah --storage-driver vfs --isolation chroot bud -t python-runner:latest -f deploy/Dockerfile.python-runner .
           buildah --storage-driver vfs push --tls-verify=false \
             --creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
             python-runner:latest \
@@ -177,7 +177,7 @@ jobs:
 
       - name: Build & push docmost-mcp
         run: |
-          buildah --storage-driver vfs bud -t docmost-mcp:latest -f deploy/Dockerfile.docmost-mcp .
+          buildah --storage-driver vfs --isolation chroot bud -t docmost-mcp:latest -f deploy/Dockerfile.docmost-mcp .
           buildah --storage-driver vfs push --tls-verify=false \
             --creds "${{ env.OWNER }}:${{ secrets.PACKAGES_TOKEN }}" \
             docmost-mcp:latest \