From 14d38b27e47da0ca08fc98937eb2f1a302ebc4d2 Mon Sep 17 00:00:00 2001
From: Cobb <cobb@sulkta.com>
Date: Fri, 26 Jun 2026 20:05:12 -0700
Subject: [PATCH] ci: drop dead docker.io from straw-build image

Publish moved off the host docker socket to a rootless SSH forced-command on
Lucy (#444), so the docker CLI in the build image is now unused. Keep
openssh-client (the publish step ssh's the signed APK to the host).
---
 ci/Dockerfile | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ci/Dockerfile b/ci/Dockerfile
index fc1072623..b6bf54e2e 100644
--- a/ci/Dockerfile
+++ b/ci/Dockerfile
@@ -59,11 +59,13 @@ RUN java -version && cargo --version && cargo ndk --version || true \
     && test -d "$ANDROID_SDK_ROOT/build-tools/36.0.0"
 
 # Publish tooling (appended last so the heavy toolchain layers stay cached):
-# docker CLI to talk to the runner's host socket for the fdroid steps, and
-# openssh-client to stream the signed repo to Rackham. The build steps don't
-# touch the socket; only the gated publish step does.
+# openssh-client only. The gated publish step hands the signed APK over SSH to a
+# rootless forced-command on the Lucy host, which verifies the signer and re-signs
+# the fdroid index on-host. No docker CLI / host socket is involved any more — the
+# old docker.io dependency was dropped once publish moved off the host docker
+# socket (#444 rootless hardening).
 RUN apt-get update && apt-get install -y --no-install-recommends \
-      docker.io openssh-client \
+      openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
 # The signing keystore is NOT baked — it's injected per-build from the Forgejo