fix(ci): resolve image tag via Gitea API instead of artifact

upload/download-artifact@v4 is not supported on Gitea (GHES). Replace
with a direct Gitea API call in gitops-update: look up the tag name
whose commit SHA matches workflow_run.head_sha. Reverts the artifact
upload from build.yaml; no changes to build.yaml logic.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/gitops-update.yaml

@@ -39,10 +39,10 @@ jobs:
       GITEA_TOKEN: ${{ secrets.GITOPS_TOKEN }}
 
     steps:
-      - name: Install git, curl, ca-certificates
+      - name: Install git, curl, ca-certificates, jq
         run: |
           apt-get update -qq
-          apt-get install -y --no-install-recommends git curl ca-certificates
+          apt-get install -y --no-install-recommends git curl ca-certificates jq
 
       - name: Install tea
         run: |
@@ -62,19 +62,29 @@ jobs:
         id: resolve
         run: |
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            GIT_TAG="${{ inputs.tag }}"
+            IMAGE="gitea.home.hrajfrisbee.cz/${{ github.repository }}:${{ inputs.tag }}-go"
           else
-            # workflow_run: use the ref name of the triggering workflow (the pushed git tag).
-            GIT_TAG="${{ github.event.workflow_run.head_branch }}"
+            # workflow_run: head_branch is not populated for tag pushes in Gitea Actions.
+            # Look up the tag name that points to the triggering commit SHA via the API.
+            SHA="${{ github.event.workflow_run.head_sha }}"
+            GIT_TAG=$(curl -fsSL \
+              -H "Authorization: token ${GITEA_TOKEN}" \
+              "https://gitea.home.hrajfrisbee.cz/api/v1/repos/${{ github.repository }}/tags?limit=50" \
+              | jq -r --arg sha "$SHA" '.[] | select(.commit.sha == $sha) | .name')
+            IMAGE="gitea.home.hrajfrisbee.cz/${{ github.repository }}:${GIT_TAG}-go"
           fi
-          IMAGE="gitea.home.hrajfrisbee.cz/${{ github.repository }}:${GIT_TAG}-go"
           echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
           echo "Resolved image: ${IMAGE}"
 
-      - name: Configure git identity
+      - name: Configure git identity and credentials
         run: |
           git config --global user.name  "uh-cli bot"
           git config --global user.email "bot@hrajfrisbee.cz"
+          # Store credentials separately so the --git-repo URL stays clean.
+          # Tea matches the login URL against the remote URL; embedded credentials
+          # break that matching and cause "path segment [0] is empty" on pr create.
+          git config --global credential.helper store
+          echo "https://kacerr:${GITEA_TOKEN}@gitea.home.hrajfrisbee.cz" >> ~/.git-credentials
 
       - name: Authenticate tea
         run: |
@@ -85,10 +95,11 @@ jobs:
 
       - name: Open image-update PR (or dry run)
         run: |
+          set -x
           uh-cli -v gitops deployment update \
             --deployment-name fuj-management \
             --deployment-namespace fuj \
             --set-image "${{ steps.resolve.outputs.image }}" \
-            --git-repo "https://kacerr:${GITEA_TOKEN}@gitea.home.hrajfrisbee.cz/kacerr/home-kubernetes" \
+            --git-repo "https://gitea.home.hrajfrisbee.cz/kacerr/home-kubernetes" \
             --git-path gitops/home-kubernetes \
             ${{ (github.event_name == 'workflow_dispatch' && inputs.dry_run == 'true') && '--dry-run' || '' }}