ci: fix straw build workflow — plain git clone (no node) + dynamic apksigner

The build-and-publish job runs in the straw-build container, which ships
the Android + Rust toolchain but NOT node. actions/checkout@v4 is a Node
action, so it died with 'exec: "node": not found' before any source was
checked out — every build run since the workflow landed was red for this,
not the registry-pull theory.

- Replace both actions/checkout@v4 steps with a plain 'git clone' (git is
  in the image, both repos are public). Also sidesteps the runner's flaky
  data.forgejo.org action fetch. strawcore stays a sibling of straw for
  the rust/strawcore path dependency.
- Pick apksigner from whatever build-tools the image actually ships (36),
  not the hardcoded 34.0.0 that doesn't exist in it.

Build + publish prereqs verified present: docker CLI in image, runner
docker_host=automount + --group-add, and the STRAW_SIGNING_KEYSTORE_B64 /
STRAW_FDROID_RACKHAM_KEY secrets are set.

.forgejo/workflows/build.yml

@@ -33,19 +33,21 @@ jobs:
     container:
       image: git.sulkta.com/sulkta-infra/straw-build:latest
     steps:
-      - name: Checkout straw
-        uses: actions/checkout@v4
-        with:
-          path: straw
-
-      # strawcore is consumed by rust/strawcore via `path = "../../../strawcore"`,
-      # i.e. a sibling of the straw checkout — so it MUST live next to it.
-      - name: Checkout strawcore (sibling)
-        uses: actions/checkout@v4
-        with:
-          repository: Sulkta-OSS/strawcore
-          ref: main
-          path: strawcore
+      # We clone with plain git instead of actions/checkout@v4: that action is
+      # a Node action, and the straw-build job container ships the Android +
+      # Rust toolchain but NOT node — so checkout@v4 dies with
+      # `exec: "node": not found`. git is in the image, both repos are public,
+      # and a shell clone also sidesteps the runner's flaky data.forgejo.org
+      # action fetch. strawcore must be a SIBLING of straw because
+      # rust/strawcore depends on it via `path = "../../../strawcore"`.
+      - name: Checkout straw + strawcore (sibling, no JS actions)
+        run: |
+          set -euo pipefail
+          git clone https://git.sulkta.com/Sulkta-OSS/straw.git straw
+          git -C straw checkout --detach "${{ github.sha }}"
+          git clone --depth 1 https://git.sulkta.com/Sulkta-OSS/strawcore.git strawcore
+          echo "straw:     $(git -C straw rev-parse --short HEAD)"
+          echo "strawcore: $(git -C strawcore rev-parse --short HEAD)"
 
       - name: Decode signing keystore
         env:
@@ -77,7 +79,9 @@ jobs:
           echo "Built vc=$VC -> $NAME"
           # The whole series is signed with SHA-1 bb9ca96b...; fail loudly if a
           # build ever produces a different signer (would break in-place updates).
-          FP=$("$ANDROID_HOME/build-tools/34.0.0/apksigner" verify --print-certs "$APK" | grep -i 'SHA-1' | grep -o '[0-9a-f]\{40\}')
+          # Pick whatever build-tools the image actually ships (36 today, not 34).
+          APKSIGNER=$(ls "$ANDROID_HOME"/build-tools/*/apksigner | sort -V | tail -1)
+          FP=$("$APKSIGNER" verify --print-certs "$APK" | grep -i 'SHA-1' | grep -o '[0-9a-f]\{40\}')
           echo "signer SHA-1: $FP"
           if [ "$FP" != "bb9ca96b10ebbc1ac48e037a21f350415d18915f" ]; then
             echo "::error::APK signer $FP != canonical key — refusing to publish"; exit 1