Custom runner tag variable skips rootless build and breaking releases

Summary

Setting the OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG CI/CD variable (as documented in the README for self-managed instances) causes the gitlab-opentofu-image:build:rootless job to be skipped, which then breaks release deployments.

This is a follow-up issue to #202 (closed), which was recently fixed. After that fix, we can now successfully run builds on our self-managed instance, but discovered this new problem with rootless image variants.

Steps to Reproduce

  1. Mirror the component to a self-managed GitLab instance
  2. Set the CI/CD variable OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG=privileged (or any value, as documented in the README)
  3. Push a commit - observe that gitlab-opentofu-image:build:rootless is skipped
  4. Create a tag/release
  5. The gitlab-opentofu-image:deploy:rootless job fails with:
Error: fetching "registry.example.com/components/opentofu/internal/gitlab-opentofu:COMMIT_SHA-opentofu1.10.0-alpine-rootless": 
MANIFEST_UNKNOWN: manifest unknown

Current Behavior

The gitlab-opentofu-image:build:rootless job has this rule at line 230:

rules:
  - if: $OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG
    when: never
  - *gitlab-opentofu-image-build-base-rules

When OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG is set, the rootless variant is never built, but the deploy job still expects it to exist during releases.

Expected Behavior

Setting OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG should control which runner executes the build, not whether to skip the rootless build entirely. All image variants (root and rootless) should be built regardless of custom runner tag configuration.

Suggested Solutions

Option 1: Remove the skip rule

Remove the problematic when: never rule from gitlab-opentofu-image:build:rootless:

gitlab-opentofu-image:build:rootless:
  extends:
    - '.runner-tags:build-image'
    - '.gitlab-opentofu-image:build:base'
  variables:
    TARGET: rootless
    GITLAB_OPENTOFU_IMAGE_NAME: "$GITLAB_OPENTOFU_IMAGE_BASE/gitlab-opentofu:$CI_COMMIT_SHA-opentofu$OPENTOFU_VERSION-$GITLAB_OPENTOFU_BASE_IMAGE_OS-rootless"
  needs:
    - gitlab-opentofu-image:build
  rules:
    - *gitlab-opentofu-image-build-base-rules

Option 2: Separate runner tag variables

Allow self-managed instances to configure runner tags separately for root and rootless builds:

  • OPENTOFU_COMPONENT_IMAGE_BUILD_RUNNER_TAG - for the root build (already exists)
  • OPENTOFU_COMPONENT_IMAGE_BUILD_ROOTLESS_RUNNER_TAG - new variable for rootless build

This would give operators flexibility to:

  • Use the same tag for both (set both variables to the same value)
  • Use different tags if rootless builds need different infrastructure
  • Intentionally skip rootless builds by not setting the rootless variable (and having the corresponding deploy job respect that choice)

Impact

This affects all self-managed instances that follow the README guidance to set custom runner tags, making releases completely broken.

Environment

  • GitLab: Self-managed (affects any version)
  • Component version: 3.13.2 (and likely all versions)

Related

  • #202 (closed) - Fixed similar issue with rule merging for build jobs

cc: @timofurrer - Thank you for the quick fix on #202 (closed)! 🙏