See T265685: Set up CI for cloud/toolforge/buildpacks repository for context.
TL;DR: cloud-services-team needs to run pack in CI to verify their builder configuration. However, it needs access to dockerd to function. I suggested one option might be to give it access to the dockerd socket via a bind mount. Before doing that, we'll need to verify that the configuration can't contain anything that would allow for command injection.