fix: run all CI jobs in containers via container directive

The linux runner has no git/node on host and rootless podman
lacks namespace privileges. Use container: directive for every
job: alpine for secrets (gitleaks binary), docker:latest for
build (docker socket mounted by runner).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -42,35 +42,36 @@ jobs:
 
   secrets:
     runs-on: linux
+    container:
+      image: alpine:latest
     steps:
       - name: Checkout
         run: |
-          podman run --rm \
-            -v "$PWD:/repo" \
-            -w /repo \
-            alpine/git:latest \
-            clone --branch "${GITHUB_REF_NAME}" "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
-      - name: Scan for secrets
+          apk add --no-cache -q git curl
+          git clone --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+      - name: Install gitleaks
         run: |
-          podman run --rm \
-            -v "$PWD:/scan:ro" \
-            ghcr.io/gitleaks/gitleaks:latest \
-            detect --source /scan -v
+          ARCH=$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.22.1_linux_${ARCH}.tar.gz" \
+            | tar xz -C /usr/local/bin/ gitleaks
+      - name: Scan for secrets
+        run: gitleaks detect --source . -v
 
   build:
     runs-on: linux
     needs: [test, secrets]
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    container:
+      image: docker:latest
     steps:
       - name: Checkout
         run: |
-          podman run --rm \
-            -v "$PWD:/repo" \
-            -w /repo \
-            alpine/git:latest \
-            clone --depth 1 --branch "${GITHUB_REF_NAME}" "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+          apk add --no-cache -q git
+          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
       - name: Login to Harbor
-        run: echo "$HARBOR_PASS" | podman login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
+        run: echo "$HARBOR_PASS" | docker login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
         env:
           HARBOR_USER: ${{ secrets.HARBOR_USER }}
           HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
@@ -78,6 +79,6 @@ jobs:
         run: |
           TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}"
           LATEST="harbor.mymx.me/library/bouncer:latest"
-          podman build -t "$TAG" -t "$LATEST" -f Containerfile .
-          podman push "$TAG"
-          podman push "$LATEST"
+          docker build -t "$TAG" -t "$LATEST" -f Containerfile .
+          docker push "$TAG"
+          docker push "$LATEST"