ci: fix unbound variable error for OIDC vars on stock Gitea

Use ${VAR:-} default-empty syntax so set -u doesn't abort when
ACTIONS_ID_TOKEN_REQUEST_TOKEN/URL are absent (stock Gitea runners
don't set them).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/kubernetes-deploy.yaml

@@ -15,8 +15,8 @@ jobs:
         run: |
           set -euxo pipefail
 
-          IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/")
+          IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
           
           TOKEN=$(echo "$IDTOKEN" | jq -r '.value')
           
@@ -32,8 +32,8 @@ jobs:
           env | sort
           echo ""
           echo "=== ID Token (decoded) ==="
-          IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/")
+          IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
           echo "$IDTOKEN" | jq -r '.value' | cut -d. -f2 | base64 -d 2>/dev/null | jq .
 
       - name: Read secret from Vault