ci: add verbose debugging to Vault token step

Split curl calls into separate variables and log intermediate
responses to stderr to identify which request is failing.
Added set -euxo pipefail for immediate failure visibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/kubernetes-deploy.yaml

@@ -19,15 +19,23 @@ jobs:
       - name: Get Kanidm token from Vault
         id: vault
         run: |
+          set -euxo pipefail
+
           # Authenticate to Vault (AppRole — no CLI needed)
-          VAULT_TOKEN=$(curl -sf --request POST \
+          VAULT_AUTH_RESPONSE=$(curl -f --request POST \
             --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
-            https://vault.hrajfrisbee.cz/v1/auth/approle/login | jq -r '.auth.client_token')
+            https://vault.hrajfrisbee.cz/v1/auth/approle/login)
+
+          echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2
+          VAULT_TOKEN=$(echo "$VAULT_AUTH_RESPONSE" | jq -r '.auth.client_token')
 
           # Read the kanidm API token
-          API_TOKEN=$(curl -sf \
+          SECRET_RESPONSE=$(curl -f \
             -H "X-Vault-Token: ${VAULT_TOKEN}" \
-            https://vault.hrajfrisbee.cz/v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
+            https://vault.hrajfrisbee.cz/v1/secret/data/k8s_home/gitea/gitea-ci-token)
+
+          echo "Secret response: $SECRET_RESPONSE" >&2
+          API_TOKEN=$(echo "$SECRET_RESPONSE" | jq -r '.data.data.token')
 
           echo "::add-mask::${API_TOKEN}"
           echo "api_token=${API_TOKEN}" >> "$GITHUB_OUTPUT"