ci: drop dead docker.io from straw-build image

Publish moved off the host docker socket to a rootless SSH forced-command on Lucy (#444), so the docker CLI in the build image is now unused. Keep openssh-client (the publish step ssh's the signed APK to the host).
2026-06-26 20:05:12 -07:00 · 2026-06-26 20:05:12 -07:00 · 14d38b27e4
commit 14d38b27e4
parent e11cc6a854
1 changed files with 6 additions and 4 deletions
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@ -59,11 +59,13 @@ RUN java -version && cargo --version && cargo ndk --version || true \
    && test -d "$ANDROID_SDK_ROOT/build-tools/36.0.0"

 # Publish tooling (appended last so the heavy toolchain layers stay cached):
-# docker CLI to talk to the runner's host socket for the fdroid steps, and
-# openssh-client to stream the signed repo to Rackham. The build steps don't
-# touch the socket; only the gated publish step does.
+# openssh-client only. The gated publish step hands the signed APK over SSH to a
+# rootless forced-command on the Lucy host, which verifies the signer and re-signs
+# the fdroid index on-host. No docker CLI / host socket is involved any more — the
+# old docker.io dependency was dropped once publish moved off the host docker
+# socket (#444 rootless hardening).
 RUN apt-get update && apt-get install -y --no-install-recommends \
-      docker.io openssh-client \
+      openssh-client \
    && rm -rf /var/lib/apt/lists/*

 # The signing keystore is NOT baked — it's injected per-build from the Forgejo