gitea-actions: run CI jobs in rootless-podman containers

Switch the act_runners from :host execution to docker:// images backed by
a rootless podman socket under the gitea-runner user, so each job runs in
its own ephemeral container with per-job Go caches. This eliminates the
cross-repo GOMODCACHE/go-build poisoning that forced the debyl runner to
capacity:1.

- deps.yml: enable the rootless --user podman.socket, ensure subuid/subgid,
  register gitea_runner_uid; drop the rootful system socket override,
  podman-docker and host golang
- images.yml + Containerfile.ci/.espidf: build localhost/gitea-ci and
  localhost/gitea-ci-espidf into the runner's rootless image store
- config.yaml.j2: docker:// labels (per-runner overridable), docker_host
  -> rootless socket, force_pull false
- act_runner.service.j2: XDG_RUNTIME_DIR + DOCKER_HOST -> user socket
- defaults: uniform capacity:4 (drop the debyl capacity:1 workaround);
  esp_idf_version now tags the espressif/idf-based image
- main.yml: import images.yml, drop the host esp-idf install (firmware jobs
  use the espressif/idf job container instead)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ansible/roles/gitea-actions/tasks/deps.yml

@@ -1,38 +1,69 @@
 ---
-- name: install podman-docker for docker CLI compatibility
+- name: install podman for rootless CI job containers
   become: true
   ansible.builtin.dnf:
     name:
-      - podman-docker
-      - golang
+      - podman
     state: present
   tags: gitea-actions
 
-- name: create podman socket override directory
+- name: look up gitea-runner uid
   become: true
-  ansible.builtin.file:
-    path: /etc/systemd/system/podman.socket.d
-    state: directory
-    mode: "0755"
+  changed_when: false
+  check_mode: false
+  ansible.builtin.command: id -u {{ gitea_runner_user }}
+  register: gitea_runner_id
+  tags:
+    - gitea-actions
+    - always
+
+- name: set gitea_runner_uid fact
+  ansible.builtin.set_fact:
+    gitea_runner_uid: "{{ gitea_runner_id.stdout | trim }}"
+  tags:
+    - gitea-actions
+    - always
+
+# Rootless podman needs subuid/subgid ranges for the runner user. Fedora's
+# useradd normally assigns them automatically; ensure they exist regardless.
+- name: check gitea-runner subuid mapping
+  become: true
+  ansible.builtin.command: grep -q "^{{ gitea_runner_user }}:" /etc/subuid
+  register: gitea_runner_subuid
+  changed_when: false
+  failed_when: false
   tags: gitea-actions
 
-- name: configure podman socket for gitea-runner access
+- name: assign subuid/subgid ranges for gitea-runner
   become: true
-  ansible.builtin.copy:
-    dest: /etc/systemd/system/podman.socket.d/override.conf
-    content: |
-      [Socket]
-      SocketMode=0660
-      SocketGroup={{ gitea_runner_user }}
-    mode: "0644"
-  notify: restart podman socket
+  ansible.builtin.command: >-
+    usermod
+    --add-subuids 100000000-100065535
+    --add-subgids 100000000-100065535
+    {{ gitea_runner_user }}
+  when: gitea_runner_subuid.rc != 0
+  register: gitea_runner_subuid_added
   tags: gitea-actions
 
-- name: enable system podman socket
+- name: migrate gitea-runner podman storage to new id mapping
   become: true
+  become_user: "{{ gitea_runner_user }}"
+  ansible.builtin.command: podman system migrate
+  environment:
+    XDG_RUNTIME_DIR: "/run/user/{{ gitea_runner_uid }}"
+  when: gitea_runner_subuid_added is changed
+  changed_when: true
+  tags: gitea-actions
+
+- name: enable rootless podman socket for gitea-runner
+  become: true
+  become_user: "{{ gitea_runner_user }}"
   ansible.builtin.systemd:
     name: podman.socket
-    daemon_reload: true
+    scope: user
     enabled: true
     state: started
+    daemon_reload: true
+  environment:
+    XDG_RUNTIME_DIR: "/run/user/{{ gitea_runner_uid }}"
   tags: gitea-actions