ci: provide buildah signature-policy + explicit storage paths

buildah needs a policy.json file to authorize image pulls; the runner
image doesn't ship one. Write a permissive trust-all policy inline at
$HOME/.config/containers/policy.json and pass --signature-policy to both
buildah and skopeo. Also pin --root + --runroot so skopeo's
containers-storage URL matches buildah's actual store location.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.forgejo/workflows/self-deploy.yml

@@ -92,8 +92,16 @@ jobs:
       - name: Build server image (rootless buildah)
         run: |
           set -euo pipefail
+          # buildah needs a containers policy file; the runner image doesn't
+          # ship one. Write a permissive "trust-all" policy inline.
+          mkdir -p "$HOME/.config/containers"
+          printf '%s\n' '{"default":[{"type":"insecureAcceptAnything"}]}' \
+            > "$HOME/.config/containers/policy.json"
           nix run nixpkgs#buildah -- bud \
+            --signature-policy="$HOME/.config/containers/policy.json" \
             --storage-driver=vfs \
+            --root="$HOME/.local/share/containers/storage" \
+            --runroot="$HOME/.local/share/containers/runroot" \
             --isolation=chroot \
             -f docker/Dockerfile.sf-server \
             --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
@@ -116,7 +124,7 @@ jobs:
           nix run nixpkgs#skopeo -- copy \
             --insecure-policy \
             $creds_arg \
-            "containers-storage:[vfs@/var/lib/containers/storage+/var/run/containers/storage]${{ steps.image.outputs.image }}" \
+            "containers-storage:[vfs@$HOME/.local/share/containers/storage+$HOME/.local/share/containers/runroot]${{ steps.image.outputs.image }}" \
             "docker://${{ steps.image.outputs.image }}"