ci: use docker:cli container override for image-pull job

- Replace static docker binary download with container: image: docker:cli
- Remove act-runner labels config (default already uses proper Ubuntu image)
- Remove CONFIG_FILE env var (no longer needed)

.gitea/workflows/ci.yml

@@ -58,6 +58,11 @@ jobs:
     runs-on: ubuntu-latest
     # Only run on PRs that touch nomad job specs
     if: github.event_name == 'pull_request'
+    # Use the official Docker CLI image so we get a versioned, maintained docker
+    # binary without hardcoding a static download URL. The runner's docker socket
+    # is already mounted by act_runner, so docker commands work out of the box.
+    container:
+      image: docker:cli
 
     steps:
       - uses: actions/checkout@v4
@@ -66,8 +71,6 @@ jobs:
 
       - name: Pull changed images
         run: |
-          curl -fsSL https://download.docker.com/linux/static/stable/x86_64/docker-27.5.1.tgz \
-            | tar -xz --strip-components=1 -C /usr/local/bin docker/docker
           git fetch origin ${{ github.base_ref }}
           IMAGES=$(git diff origin/${{ github.base_ref }}...HEAD -- '*.nomad.hcl' \
             | grep '^+\s*image\s*=' \

2-nomad-config/act-runner.nomad.hcl

@@ -29,7 +29,6 @@ job "act-runner" {
 
       env = {
         GITEA_INSTANCE_URL = "https://gitea-1ef0bea6b75a4fd3e9393a9f7f7e4b02.othrayte.one"
-        CONFIG_FILE        = "/secrets/runner-config.yml"
       }
 
       # Required SOPS key:
@@ -43,19 +42,6 @@ EOF
         env         = true
       }
 
-      # Limit which images/labels the runner will accept so it doesn't pick up
-      # unrelated workloads if more runners are added later.
-      template {
-        data        = <<EOF
-runner:
-  labels:
-    - "ubuntu-latest:docker://node:20-bookworm"
-    - "ubuntu-22.04:docker://node:20-bookworm"
-    - "ubuntu-24.04:docker://node:20-bookworm"
-EOF
-        destination = "secrets/runner-config.yml"
-      }
-
       resources {
         cpu        = 200
         memory     = 256