build: copy imager artifacts via docker cp for DinD runners

The Gitea act_runners on the fondation cluster run jobs in containers
against a docker:dind sidecar (socket at /shared/docker.sock). A nested
`docker run -v ./_out:/out` resolves the path on the dind daemon's
filesystem, not the job container, so the installer tar / raw image never
came back and `crane push ./_out/...` failed.

Run the imager without an output bind mount (anonymous /out volume) and
pull artifacts back with `docker cp`, which streams over the Docker API
and works under DinD, a shared socket, or a local daemon. Also drop `-t`
(no TTY in container-mode steps) and name+clean the containers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Makefile

@@ -108,14 +108,19 @@ checkouts-clean:
 #
 # Patches
 #
+# git am records a commit, which needs an author/committer identity. CI runners
+# (fresh containers) have none, so pin one for the patch commands. This does not
+# touch global git config and is shadowed by your own identity when run locally.
+GIT_AM = git -c user.name="Talos CM5 Builder" -c user.email="ci@openharbor.io" am
+
 .PHONY: patches-pkgs patches-talos patches-overlay patches
 patches-pkgs:
 	cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
-		git am "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch
+		$(GIT_AM) "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch
 
 patches-talos:
 	cd "$(CHECKOUTS_DIRECTORY)/talos" && \
-		git am "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch
+		$(GIT_AM) "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch
 
 patches-overlay:
 	@cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
@@ -123,11 +128,11 @@ patches-overlay:
 		GO_MINOR=$$(echo "$$GO_VER" | cut -d. -f1,2) && \
 		if [ "$$GO_MINOR" = "1.24" ]; then \
 			echo "Overlay Go $$GO_VER — applying Go toolchain patch (CVE fix)"; \
-			git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0001-"*.patch; \
+			$(GIT_AM) "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0001-"*.patch; \
 		else \
 			echo "Overlay Go $$GO_VER — skipping Go toolchain patch (CVEs fixed upstream)"; \
 		fi && \
-		git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0002-"*.patch
+		$(GIT_AM) "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0002-"*.patch
 
 patches: patches-pkgs patches-talos patches-overlay
 
@@ -164,6 +169,12 @@ overlay:
 # Builds the imager, installer-base, and installer images step by step,
 # pushing each to our project-specific Docker Hub repos.
 #
+# The imager runs as a container. Under DinD CI runners it is a sibling of the
+# dind daemon, so a bind mount of ./_out would resolve on the daemon's
+# filesystem rather than here. We therefore run the imager without an output
+# mount and copy artifacts back with `docker cp` (streams over the Docker API,
+# so it works under DinD, a shared socket, or a local daemon alike).
+#
 .PHONY: installer
 installer:
 	cd "$(CHECKOUTS_DIRECTORY)/talos" && \
@@ -185,22 +196,28 @@ installer:
 			target-installer-base \
 			TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
 		docker pull $(IMAGER_IMAGE):$(TALOS_TAG) && \
-		docker run --rm -t -v ./_out:/out --privileged --network=host \
+		mkdir -p ./_out && \
+		( docker rm -fv talos-imager 2>/dev/null || true ) && \
+		docker run --name talos-imager -v /out --privileged --network=host \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \
 			installer --arch arm64 \
 			--base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \
 			$(IMAGER_COMMON_FLAGS) && \
+		docker cp talos-imager:/out/installer-arm64.tar ./_out/installer-arm64.tar && \
+		docker rm -fv talos-imager >/dev/null && \
 		crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \
 		printf "FROM $(INSTALLER_IMAGE):$(TALOS_TAG)\n" | docker buildx build \
 			--platform linux/arm64 \
 			$(ATTESTATION_ARGS) \
 			-t $(INSTALLER_IMAGE):$(TALOS_TAG) --push - && \
-		docker \
-			run --rm -t -v ./_out:/out -v /dev:/dev --privileged --network=host \
+		( docker rm -fv talos-imager-metal 2>/dev/null || true ) && \
+		docker run --name talos-imager-metal -v /out -v /dev:/dev --privileged --network=host \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \
 			metal --arch arm64 \
 			--base-installer-image="$(INSTALLER_IMAGE):$(TALOS_TAG)" \
-			$(IMAGER_COMMON_FLAGS)
+			$(IMAGER_COMMON_FLAGS) && \
+		docker cp talos-imager-metal:/out/. ./_out/ && \
+		docker rm -fv talos-imager-metal >/dev/null
 
 #
 # Release — tag images with the Git tag for stable references