ci: fix docker runner

deploy/ansible/install-runner.yml

@@ -56,3 +56,20 @@
       loop_control:
         loop_var: project_spec
         label: "{{ project_spec.project }}"
+
+    # The build job runs `docker build` on the host, talking to the daemon via
+    # /var/run/docker.sock. Without docker group membership the runner user gets
+    # "permission denied ... unix:///var/run/docker.sock".
+    - name: Add runner user to the docker group
+      ansible.builtin.user:
+        name: "{{ runner_user }}"
+        groups: docker
+        append: true
+      register: runner_docker_group
+
+    # Group membership is only read at process start, so already-running runner
+    # services must be restarted to gain socket access.
+    - name: Restart runner services to apply docker group membership
+      ansible.builtin.shell: "systemctl restart 'gitea-runner-*.service'"
+      when: runner_docker_group is changed
+      changed_when: true