feat(flatpak): add rancher-desktop

Package Rancher Desktop v1.22.0 as a Flatpak using the pre-built
Linux zip from GitHub releases. Electron app extracted and wrapped
with --no-sandbox for Flatpak sandbox compatibility.

Permissions modeled on Podman Desktop (Flathub), since both apps
manage containers and VMs:
- --filesystem=home (config/state in non-XDG paths, no upstream fix)
- --filesystem=host-os:ro (detect host CLI tools: docker, kubectl, etc.)
- --filesystem=xdg-run/podman:create, containers:create, /run/docker.sock
- --device=all (KVM required for Lima VM backend on Linux)
- --talk-name=org.freedesktop.Flatpak (spawn host processes)

x86_64 only — upstream ships no arm64 Linux build.
x-skip-launch-check: true — Electron GUI exits 1 without display.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Assisted-by: Claude Sonnet 4.6 via GitHub Copilot

Author: castrojo

flatpaks/rancher-desktop/GOTCHAS.md

@@ -0,0 +1,42 @@
+# Rancher Desktop — Gotchas
+
+## x-skip-launch-check: true
+Rancher Desktop is an Electron GUI app. In the headless gnome-49 CI container it exits 1
+("Missing X server or $DISPLAY" / Wayland not available). `x-skip-launch-check: true` is set
+in `manifest.yaml` so the e2e-install job skips the launch check and exits 0 after verifying
+the Flatpak installs correctly.
+
+## x86_64 only
+Upstream ships a single Linux zip (`rancher-desktop-linux-v1.22.0.zip`) for x86_64 only.
+No arm64 Linux build is provided. `x-arches: [x86_64]` is set accordingly.
+
+## --no-sandbox wrapper required
+The Electron SUID chrome-sandbox is incompatible with the Flatpak sandbox (cannot set uid 0
+inside the sandbox). A wrapper script at `/app/bin/rancher-desktop` passes `--no-sandbox`
+to the Electron binary. Flatpak provides its own sandboxing layer.
+
+## --device=all (KVM for Lima VMs)
+Rancher Desktop uses Lima as the VM backend on Linux for container runtime isolation.
+Lima requires access to `/dev/kvm`. `--device=all` is the standard Flatpak permission for
+KVM access. See Podman Desktop for the same pattern.
+
+## --filesystem=home
+Rancher Desktop writes config, state, and container data to non-XDG locations under `$HOME`
+(`~/.config/rancher-desktop`, `~/.local/share/rancher-desktop`, etc.) with no upstream option
+to relocate to XDG paths. `--filesystem=home` is required; tightening will break the app.
+
+## --filesystem=host-os:ro
+Required to detect and invoke host-installed tools (docker CLI, nerdctl, kubectl, helm, etc.)
+from the host PATH. Modeled directly on the Podman Desktop Flathub manifest.
+
+## finish-args-home-filesystem-access lint exception
+`flatpak-builder-lint` flags `--filesystem=home` as a lint warning/error. It is intentional
+here; the exception is declared in `exceptions.json`.
+
+## Zip layout (v1.22.0)
+The GitHub release zip extracts as a flat directory:
+- `rancher-desktop` — main Electron binary (199 MB)
+- `resources/resources/icons/logo-square-512.png` — 512×512 app icon
+- `resources/resources/linux/rancher-desktop.desktop` — desktop entry
+- `resources/app.asar`, `resources/app.asar.unpacked/` — app bundle
+- Various Electron/Chromium shared libraries at root

flatpaks/rancher-desktop/exceptions.json

@@ -0,0 +1,8 @@
+{
+    "io.rancherdesktop.RancherDesktop": [
+        "appid-filename-mismatch",
+        "appstream-no-flathub-manifest-key",
+        "metainfo-missing-screenshots",
+        "finish-args-home-filesystem-access"
+    ]
+}

flatpaks/rancher-desktop/io.rancherdesktop.RancherDesktop.metainfo.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component type="desktop-application">
+  <id>io.rancherdesktop.RancherDesktop</id>
+  <name>Rancher Desktop</name>
+  <summary>Container management and Kubernetes on the desktop</summary>
+  <description>
+    <p>
+      Rancher Desktop is an open-source application that provides all the essentials
+      to work with containers and Kubernetes on the desktop. It runs a local
+      Kubernetes cluster, manages container images, and lets you choose between
+      containerd and dockerd as the container runtime — all from a single GUI.
+    </p>
+    <p>
+      Key features include a built-in Kubernetes cluster (powered by k3s), container
+      image management, support for port forwarding and volume mounts, and integration
+      with common developer tools like kubectl, nerdctl, and helm.
+    </p>
+  </description>
+  <url type="homepage">https://rancherdesktop.io/</url>
+  <url type="bugtracker">https://github.com/rancher-sandbox/rancher-desktop/issues</url>
+  <metadata_license>MIT</metadata_license>
+  <project_license>Apache-2.0</project_license>
+  <categories>
+    <category>Development</category>
+    <category>Utility</category>
+  </categories>
+  <releases>
+    <release version="1.22.0" date="2026-01-19"/>
+    <release version="1.21.0" date="2025-10-24"/>
+    <release version="1.20.1" date="2025-10-01"/>
+  </releases>
+  <content_rating type="oars-1.1"/>
+</component>

flatpaks/rancher-desktop/manifest.yaml

@@ -0,0 +1,75 @@
+app-id: io.rancherdesktop.RancherDesktop
+runtime: org.gnome.Platform
+runtime-version: "49"
+sdk: org.gnome.Sdk
+default-branch: stable
+x-version: "1.22.0"
+# x-arches: upstream only ships x86_64 Linux zip; no arm64 available
+x-arches: [x86_64]
+x-skip-launch-check: true  # Electron GUI — exits 1 without display in CI
+command: rancher-desktop
+finish-args:
+  # Windowing (X11 only; Electron does not fully support Wayland yet)
+  - --socket=x11
+  - --share=ipc
+  - --device=dri
+  # Full home access: Rancher Desktop stores config, images, and state under ~/.config/rancher-desktop
+  # and manages container data in non-XDG paths. No upstream support for tighter scoping.
+  - --filesystem=home
+  # Read-only host OS view: needed to detect and invoke host-installed tools
+  # (docker CLI, nerdctl, kubectl, helm, etc.) on the host PATH.
+  - --filesystem=host-os:ro
+  # Podman and container runtime sockets
+  - --filesystem=xdg-run/podman:create
+  - --filesystem=xdg-run/containers:create
+  - --filesystem=/run/docker.sock
+  # Network required: downloads images, communicates with container daemons, Kubernetes API
+  - --share=network
+  # KVM access: Rancher Desktop uses Lima for VM-based container runtime on Linux
+  - --device=all
+  # D-Bus: notifications and system tray
+  - --talk-name=org.freedesktop.Notifications
+  - --talk-name=org.kde.StatusNotifierWatcher
+  # Spawn host processes (e.g. open browser, invoke host CLI tools)
+  - --talk-name=org.freedesktop.Flatpak
+  # Force X11 session type (Electron environment variable)
+  - --env=XDG_SESSION_TYPE=x11
+  - --env=XCURSOR_PATH=/run/host/user-share/icons:/run/host/share/icons
+modules:
+  - name: rancher-desktop
+    buildsystem: simple
+    build-commands:
+      # Unzip the Electron app bundle (flat layout at zip root)
+      - unzip -q rancher-desktop-linux-v1.22.0.zip -d /app/rancher-desktop
+
+      # Install 512x512 icon
+      - install -Dm644
+        /app/rancher-desktop/resources/resources/icons/logo-square-512.png
+        /app/share/icons/hicolor/512x512/apps/io.rancherdesktop.RancherDesktop.png
+
+      # Install and fix desktop file
+      - install -Dm644
+        /app/rancher-desktop/resources/resources/linux/rancher-desktop.desktop
+        /app/share/applications/io.rancherdesktop.RancherDesktop.desktop
+      - sed -i 's|^Exec=.*|Exec=rancher-desktop %U|'
+        /app/share/applications/io.rancherdesktop.RancherDesktop.desktop
+      - sed -i 's|^Icon=.*|Icon=io.rancherdesktop.RancherDesktop|'
+        /app/share/applications/io.rancherdesktop.RancherDesktop.desktop
+
+      # Install metainfo
+      - install -Dm644 io.rancherdesktop.RancherDesktop.metainfo.xml
+        /app/share/metainfo/io.rancherdesktop.RancherDesktop.metainfo.xml
+
+      # Wrapper script: Electron SUID sandbox is incompatible with Flatpak sandbox
+      - install -d /app/bin
+      - printf '#!/bin/sh\nexec /app/rancher-desktop/rancher-desktop --no-sandbox "$@"\n'
+        > /app/bin/rancher-desktop
+      - chmod 755 /app/bin/rancher-desktop
+    sources:
+      - type: file
+        url: https://github.com/rancher-sandbox/rancher-desktop/releases/download/v1.22.0/rancher-desktop-linux-v1.22.0.zip
+        sha256: 081bc82ac988b1467f6445dddb483395ca7b1aac2164594fd5f4e2cb7344ba6d
+        dest-filename: rancher-desktop-linux-v1.22.0.zip
+
+      - type: file
+        path: io.rancherdesktop.RancherDesktop.metainfo.xml