From 4cbfb2508d8c41d27ac0cceeb86ee155b94dd411 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hartmut=20N=C3=B6renberg?= <hn@hartmut-noerenberg.com>
Date: Mon, 13 Apr 2026 08:31:01 +0200
Subject: [PATCH] ci(release): build images with plain docker, not buildx

The QNAP host kernel rejects fchmodat2 AT_EMPTY_PATH calls that newer
buildkit's runc emits, breaking docker/build-push-action@v5. The
docker-deploy-test job already builds the same Dockerfile.prod via
plain docker build (DooD) and works, so do the same here: drop the
buildx setup and use docker build + docker push directly against the
host daemon.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release-image.yml | 39 +++++++++++++----------------
 1 file changed, 18 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml
index c43ba34..7a5c550 100644
--- a/.github/workflows/release-image.yml
+++ b/.github/workflows/release-image.yml
@@ -31,9 +31,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        run: docker buildx create --use --name ci-builder 2>/dev/null || true
-
       - id: registry
         name: Resolve Gitea registry host
         # GITHUB_SERVER_URL inside act_runner resolves to the *internal* Gitea
@@ -64,28 +61,28 @@ jobs:
           echo "migrator_image=${host}/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT"
 
       # Guardrail anchor: target: runner
+      # Use plain `docker build` against the host daemon (DooD) instead of
+      # docker/build-push-action's buildx+buildkit container, which fails on
+      # the QNAP host with `runc ... fchmodat2 AT_EMPTY_PATH: no such file or
+      # directory` (older kernel rejects newer buildkit's runc syscalls).
       - name: Build and push app image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile.prod
-          target: runner
-          push: true
-          tags: ${{ steps.vars.outputs.app_image }}
-          cache-from: type=gha,scope=app
-          cache-to: type=gha,mode=max,scope=app
+        run: |
+          docker build \
+            -f ./Dockerfile.prod \
+            --target runner \
+            -t "${{ steps.vars.outputs.app_image }}" \
+            .
+          docker push "${{ steps.vars.outputs.app_image }}"
 
       # Guardrail anchor: target: migrator
       - name: Build and push migrator image
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile.prod
-          target: migrator
-          push: true
-          tags: ${{ steps.vars.outputs.migrator_image }}
-          cache-from: type=gha,scope=migrator
-          cache-to: type=gha,mode=max,scope=migrator
+        run: |
+          docker build \
+            -f ./Dockerfile.prod \
+            --target migrator \
+            -t "${{ steps.vars.outputs.migrator_image }}" \
+            .
+          docker push "${{ steps.vars.outputs.migrator_image }}"
 
       - name: Release summary
         run: |