From 70eddaff654a8d62ceda276d0b97958bb8c2931c Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Wed, 29 Apr 2026 15:46:11 -0600
Subject: [PATCH 1/2] ci: also push on workflow_dispatch (manual deploy from
 Actions pane)

Loosens the Push to registry gate so manual workflow_dispatch
runs publish to ghcr in addition to push-to-main events. Pull
request runs continue to skip the step (validation only).

Lets the user kick off a fresh build+push of one or all images
from the Actions pane "Run workflow" button without needing a
no-op commit on main to trigger via paths.
---
 .github/workflows/buildah.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/buildah.yml b/.github/workflows/buildah.yml
index da6507a..2a5f3e9 100644
--- a/.github/workflows/buildah.yml
+++ b/.github/workflows/buildah.yml
@@ -91,7 +91,12 @@ jobs:
           extra-args: --squash
 
       - name: Push to registry
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        # Auto-deploy when an image change pushes to main, OR run manually from
+        # the Actions pane via workflow_dispatch (which can target a specific
+        # image via the `image` input).
+        if: |
+          (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
+          github.event_name == 'workflow_dispatch'
         uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ matrix.image }}

From 7d4ae04f142479acc80c4557d4342a1758efc442 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Wed, 29 Apr 2026 19:16:47 -0600
Subject: [PATCH 2/2] fix(gh-cli): use numeric USER 1000 so kubelet's
 runAsNonRoot check passes

USER gh resolves to a name in image config; kubelet can't validate non-root
without a numeric UID, so consumers either had to set runAsUser explicitly
or skip runAsNonRoot. Use the existing UID (1000) directly.
---
 gh-cli/Containerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gh-cli/Containerfile b/gh-cli/Containerfile
index 3ed5a1c..70a73ff 100644
--- a/gh-cli/Containerfile
+++ b/gh-cli/Containerfile
@@ -10,7 +10,7 @@ RUN apk add --no-cache github-cli bash \
     && adduser -D -u 1000 gh \
     && rm -rf /var/cache/apk/* /tmp/* /root/.cache
 
-USER gh
+USER 1000
 WORKDIR /home/gh
 
 ENTRYPOINT ["/bin/bash"]