diff --git a/.forgejo/workflows/self-deploy.yml b/.forgejo/workflows/self-deploy.yml
index 4153dbdfa..d975608db 100644
--- a/.forgejo/workflows/self-deploy.yml
+++ b/.forgejo/workflows/self-deploy.yml
@@ -92,8 +92,16 @@ jobs:
       - name: Build server image (rootless buildah)
         run: |
           set -euo pipefail
+          # buildah needs a containers policy file; the runner image doesn't
+          # ship one. Write a permissive "trust-all" policy inline.
+          mkdir -p "$HOME/.config/containers"
+          printf '%s\n' '{"default":[{"type":"insecureAcceptAnything"}]}' \
+            > "$HOME/.config/containers/policy.json"
           nix run nixpkgs#buildah -- bud \
+            --signature-policy="$HOME/.config/containers/policy.json" \
             --storage-driver=vfs \
+            --root="$HOME/.local/share/containers/storage" \
+            --runroot="$HOME/.local/share/containers/runroot" \
             --isolation=chroot \
             -f docker/Dockerfile.sf-server \
             --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
@@ -116,7 +124,7 @@ jobs:
           nix run nixpkgs#skopeo -- copy \
             --insecure-policy \
             $creds_arg \
-            "containers-storage:[vfs@/var/lib/containers/storage+/var/run/containers/storage]${{ steps.image.outputs.image }}" \
+            "containers-storage:[vfs@$HOME/.local/share/containers/storage+$HOME/.local/share/containers/runroot]${{ steps.image.outputs.image }}" \
             "docker://${{ steps.image.outputs.image }}"