Every workspace template's CI / validate has been red since 2026-05-10
because the Docker build smoke step fails with:
ERROR: permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock — connect: permission denied
This is a runner-config gap (act_runner job containers don't get the
host docker.sock passed through, and the in-job uid isn't in the docker
group), not a template-content problem. Confirmed across at least
molecule-ai-workspace-template-claude-code (run 75) and
molecule-ai-workspace-template-hermes (run 38) — same root cause hits
every consumer of validate-workspace-template.yml.
This PR adds a docker-info preflight to the smoke step: when the daemon
is unreachable from the job container, emit a :⚠️: pointing at
the runner-config issue (internal#222) and exit 0 instead of failing.
When the runner config is fixed, docker info succeeds and the smoke
runs again automatically — no follow-up PR needed here.
Net: the workspace-template fleet's CI / validate goes green for the
right reasons (the validator + secret scan still run). Trade-off: zero
Dockerfile-build coverage on PRs until internal#222 lands. That's
worse than nothing, but better than the current state where a real
template bug is invisible behind a runner-config red.
5b39f65705