ci: run build-iso on the runner host (DooD path fix)

Now that the runner uses docker-outside-of-docker, volume mounts in
`build.sh` (`docker run -v \$REPO_ROOT:/work ...`) are interpreted by
host docker — so `\$REPO_ROOT` must be a real host path. When the job
runs inside a job container, `\$REPO_ROOT` is only valid in the job
container's filesystem namespace and host docker can't find it, hence
`bash: /work/iso/build.sh: No such file or directory`.

Fix: switch `runs-on` to `self-hosted`. Forgejo-runner exposes that
label out of the box and, with no matching container image mapping,
runs steps directly on the runner VM. Checkout writes to a real host
path; `docker run -v …` then mounts a path both the outer CLI and
host docker agree on.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.forgejo/workflows/build-iso.yml

@@ -14,14 +14,13 @@ concurrency:
 
 jobs:
   build-iso:
-    runs-on: ubuntu-latest
+    # Run directly on the runner host, not inside a job container.
+    # `build.sh` does `docker run -v $REPO_ROOT:/work archlinux:latest`,
+    # and host docker interprets the volume source as a host path — so
+    # $REPO_ROOT has to be a path on the host, which it only is when
+    # we skip the job-container wrapping. The runner VM has git + docker.
+    runs-on: self-hosted
     timeout-minutes: 30
-    # The runner is configured for docker-outside-of-docker: its
-    # `valid_volumes` whitelists /var/run/docker.sock and it mounts the
-    # socket into every job container automatically — no need to repeat
-    # that mount here (it'd be a duplicate-mount error).
-    env:
-      DOCKER_HOST: unix:///var/run/docker.sock
     steps:
       - uses: actions/checkout@v4