gitea-actions: run CI jobs in rootless-podman containers

Switch the act_runners from :host execution to docker:// images backed by
a rootless podman socket under the gitea-runner user, so each job runs in
its own ephemeral container with per-job Go caches. This eliminates the
cross-repo GOMODCACHE/go-build poisoning that forced the debyl runner to
capacity:1.

- deps.yml: enable the rootless --user podman.socket, ensure subuid/subgid,
  register gitea_runner_uid; drop the rootful system socket override,
  podman-docker and host golang
- images.yml + Containerfile.ci/.espidf: build localhost/gitea-ci and
  localhost/gitea-ci-espidf into the runner's rootless image store
- config.yaml.j2: docker:// labels (per-runner overridable), docker_host
  -> rootless socket, force_pull false
- act_runner.service.j2: XDG_RUNTIME_DIR + DOCKER_HOST -> user socket
- defaults: uniform capacity:4 (drop the debyl capacity:1 workaround);
  esp_idf_version now tags the espressif/idf-based image
- main.yml: import images.yml, drop the host esp-idf install (firmware jobs
  use the espressif/idf job container instead)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ansible/roles/gitea-actions/templates/Containerfile.ci

@@ -0,0 +1,24 @@
+# Default Gitea Actions job image (managed by ansible: roles/gitea-actions).
+# Covers Go/web/node jobs plus `docker build` (talks to the mounted rootless
+# podman socket). Go toolchains are provided per-job by actions/setup-go.
+FROM node:20-bookworm-slim
+
+ARG DOCKER_CLI_VERSION=27.3.1
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates curl git openssh-client make build-essential \
+        python3 python3-pip jq unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Static docker client (no daemon) for jobs that run `docker build` against the
+# mounted podman socket (/var/run/docker.sock).
+RUN curl -fsSL "https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_CLI_VERSION}.tgz" \
+        | tar -xz -C /tmp \
+    && install -m0755 /tmp/docker/docker /usr/local/bin/docker \
+    && rm -rf /tmp/docker
+
+# AWS CLI v2 — several workflows upload artifacts / deploy Lambda.
+RUN curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip \
+    && unzip -q /tmp/awscliv2.zip -d /tmp \
+    && /tmp/aws/install \
+    && rm -rf /tmp/aws /tmp/awscliv2.zip

ansible/roles/gitea-actions/templates/Containerfile.espidf.j2

@@ -0,0 +1,16 @@
+# ESP-IDF firmware job image (managed by ansible: roles/gitea-actions).
+# Adds node (required by actions/checkout and other JS actions) and the AWS CLI
+# (firmware artifacts ship to S3) on top of the official Espressif toolchain.
+# IDF lives at /opt/esp/idf — firmware jobs source /opt/esp/idf/export.sh.
+FROM espressif/idf:{{ esp_idf_version }}
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        curl ca-certificates unzip \
+    && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip \
+    && unzip -q /tmp/awscliv2.zip -d /tmp \
+    && /tmp/aws/install \
+    && rm -rf /tmp/aws /tmp/awscliv2.zip

ansible/roles/gitea-actions/templates/act_runner.service.j2

@@ -1,7 +1,7 @@
 [Unit]
 Description=Gitea Actions runner ({{ runner_name }})
 Documentation=https://gitea.com/gitea/act_runner
-After=network.target podman.socket
+After=network.target
 
 [Service]
 ExecStart={{ act_runner_bin }} daemon --config {{ act_runner_config_dir }}/config-{{ runner_name }}.yaml
@@ -10,7 +10,8 @@ TimeoutSec=0
 RestartSec=10
 Restart=always
 User={{ gitea_runner_user }}
-Environment="DOCKER_HOST=unix:///run/podman/podman.sock"
+Environment="XDG_RUNTIME_DIR=/run/user/{{ gitea_runner_uid }}"
+Environment="DOCKER_HOST=unix:///run/user/{{ gitea_runner_uid }}/podman/podman.sock"
 
 [Install]
 WantedBy=multi-user.target

ansible/roles/gitea-actions/templates/config.yaml.j2

@@ -3,27 +3,32 @@ log:
 
 runner:
   file: {{ act_runner_work_dir }}/{{ runner_name }}/.runner
-  capacity: {{ gitea_runner_capacity | default(4) }}
+  capacity: {{ runner_capacity | default(gitea_runner_capacity) | default(4) }}
   timeout: 3h
   insecure: false
   fetch_timeout: 5s
   fetch_interval: 2s
   labels:
-    - ubuntu-latest:host
-    - ubuntu-22.04:host
-    - fedora:host
+{% for label in runner_labels | default(gitea_runner_labels) %}
+    - {{ label }}
+{% endfor %}
 
 cache:
   enabled: true
   dir: {{ act_runner_work_dir }}/{{ runner_name }}/cache
 
 container:
+  # Each job runs in its own ephemeral container (docker:// labels) backed by
+  # the gitea-runner user's rootless podman socket — this is what isolates the
+  # per-job Go module/build caches and fixes cross-repo cache poisoning.
   network: host
   privileged: false
   options:
   workdir_parent:
   valid_volumes: []
-  docker_host: ""
+  # Point act at the real rootless socket so it mounts the correct path into
+  # job containers (the documented rootless-podman gotcha).
+  docker_host: "unix:///run/user/{{ gitea_runner_uid }}/podman/podman.sock"
   force_pull: false
 
 host: