fix: use container: directive instead of podman run on host

Match s5p CI pattern — run jobs inside containers managed by the
runner rather than invoking podman directly on the host. Avoids
rootless namespace permission issues.

.gitea/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: CI
+name: ci
 
 on:
   push:
@@ -9,18 +9,22 @@ on:
 jobs:
   lint:
     runs-on: linux
+    container: docker.io/davidanson/markdownlint-cli2:v0.17.2
     steps:
-      - name: Checkout
+      - run: apk add --no-cache git
-        run: podman run --rm -v "$PWD:/out:Z" docker.io/library/alpine:3 sh -c "wget -qO- '${{ github.server_url }}/${{ github.repository }}/archive/${{ github.ref_name }}.tar.gz' | tar xz -C /out --strip-components=1"
+      - run: |
-
+          git clone --depth 1 \
-      - name: Markdown lint
+            -c "http.extraHeader=Authorization: token ${{ github.token }}" \
-        run: podman run --rm -v "$PWD:/work:Z" docker.io/davidanson/markdownlint-cli2:v0.17.2 "**/*.md"
+            "${{ github.server_url }}/${{ github.repository }}.git" .
+      - run: markdownlint-cli2 "**/*.md"
 
   link-check:
     runs-on: linux
+    container: python:3.12-slim
     steps:
-      - name: Checkout
+      - run: apt-get update -qq && apt-get install -y -qq git > /dev/null
-        run: podman run --rm -v "$PWD:/out:Z" docker.io/library/alpine:3 sh -c "wget -qO- '${{ github.server_url }}/${{ github.repository }}/archive/${{ github.ref_name }}.tar.gz' | tar xz -C /out --strip-components=1"
+      - run: |
-
+          git clone --depth 1 \
-      - name: Check internal links
+            -c "http.extraHeader=Authorization: token ${{ github.token }}" \
-        run: podman run --rm -v "$PWD:/work:Z" -w /work docker.io/library/python:3.12-slim python3 scripts/check-links.py
+            "${{ github.server_url }}/${{ github.repository }}.git" .
+      - run: python3 scripts/check-links.py