ci(bluebuild): use ghcr.io/blue-build/cli container instead of action

The blue-build/github-action requires docker buildx which podman
doesn't ship. Symlinking podman as docker isn't enough — the action
calls 'docker buildx inspect' / 'docker buildx rm' which podman
doesn't implement. Pull the official BlueBuild CLI container and run
it with --build-driver buildah; works against podman storage with no
docker dependency.

.github/workflows/build-bluebuild.yml

@@ -95,26 +95,29 @@ jobs:
           chmod +x /usr/local/bin/cosign
           cosign version
 
-      - name: Build OCI image with BlueBuild action
+      - name: Build OCI image with BlueBuild CLI container
         id: bluebuild
-        # Composite action — runs podman + buildah inside; works on
+        # blue-build/github-action requires docker buildx which podman
-        # Forgejo runner same as GH-hosted. Pinned to commit SHA per
+        # doesn't ship. Run the official BlueBuild CLI container with
-        # the v0.5 CI hardening pass.
+        # buildah driver instead — works against rootless or rootful
-        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
+        # podman, no docker dependency.
-        with:
-          recipe: bluebuild/recipe.yml
-          # registry_token is consumed by the action to publish; for
-          # the Forgejo path we re-tag + push manually below, so this
-          # token only matters for the GH-mirror path.
-          registry_token: ${{ secrets.GITHUB_TOKEN }}
-          pr_event_number: ${{ github.event.number }}
-          maximize_build_space: false
-
-      - name: Re-tag local OCI for Forgejo + GHCR
         run: |
           set -euxo pipefail
-          # The action emits the local image as `<recipe-name>:<tag>`.
+          # Pull cli image; pinned to v0.9.x at action time.
-          # Confirm it landed, then add registry-prefixed tags.
+          podman pull ghcr.io/blue-build/cli:latest
+          # Mount the repo + podman socket; build with buildah driver.
+          podman run --rm \
+            --privileged \
+            -v "$PWD:/work" \
+            -w /work \
+            -e BB_BUILD_DRIVER=buildah \
+            ghcr.io/blue-build/cli:latest \
+            build \
+              --build-driver buildah \
+              --inspect-driver skopeo \
+              bluebuild/recipe.yml
+          # bluebuild CLI tags as <recipe-name>:<tag> in local podman
+          # storage. List + verify, then re-tag for the registries.
           podman images
           podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:${OCI_TAG}" || true
           podman tag localhost/veilor-os:latest "${FORGEJO_IMAGE}:latest" || true