Fix Docker-in-Docker cgroup isolation issues by adding --cgroupns=host

The GitHub Actions DinD environment failed to start inner containers due to
cgroup v2 namespace isolation problems ('cannot enter cgroupv2 ... invalid state').
To resolve this, all docker run calls inside the CI workflow were updated
to include --cgroupns=host, ensuring the inner dockerd inherits the host
cgroup namespace instead of being sandboxed.

This aligns the CI runtime with the expectations of runc and prevents OCI-level
container creation failures.

Details and troubleshooting steps documented here:
https://chatgpt.com/share/6930e285-9604-800f-aad8-7a81c928548c

.github/workflows/test-deploy.yml

@@ -43,7 +43,7 @@ jobs:
       # 1) First deploy: normal + debug (inner dockerd with vfs)
       - name: First deploy (normal + debug)
         run: |
-          docker run --network=host --rm --privileged \
+          docker run --network=host --rm --privileged --cgroupns=host \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '
@@ -93,7 +93,7 @@ jobs:
       # 2) Second deploy: reset + debug (same inner dockerd pattern, also vfs)
       - name: Second deploy (--reset --debug)
         run: |
-          docker run --network=host --rm --privileged \
+          docker run --network=host --rm --privileged --cgroupns=host \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '
@@ -142,7 +142,7 @@ jobs:
       # 3) Third deploy: async (no debug, same inner dockerd, also vfs)
       - name: Third deploy (async deploy – no debug)
         run: |
-          docker run --network=host --rm --privileged \
+          docker run --network=host --rm --privileged --cgroupns=host \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '