ci: fix build-push-action tag interpolation + reuse step output for dispatch

Gitea 1.25 expression parser does NOT support GitHub's ${VAR::N}
string-slicing shorthand inside an interpolation context. The previous
build.yml used ${{ github.sha::7 }} inline inside the build-push-action
tags: block, which failed with:
  Failed to parse: got unexpected character ':' while lexing expression

Fix: add a dedicated "Compute image tag" step that writes the short SHA to
$GITHUB_OUTPUT, then reference it as ${{ steps.tag.outputs.short_sha }}
from both the build-push-action tags block and the dispatch curl payload.

Also, the previous workflow referenced certs/rootCA.pem but the file was
never committed to this repo (only to gitea-deploy-demo). Adding
certs/rootCA.pem in the same commit.

.gitea/workflows/build.yml

@@ -64,6 +64,9 @@ jobs:
         # Gitea's cert is signed by the homelab mkcert CA (certs/rootCA.pem).
         # Install into both system + docker trust stores so docker CLI login
         # and the buildkit registry call both succeed.
+        # NOTE: certs/rootCA.pem is the PUBLIC cert only — the key is never
+        # committed. Source of truth: /home/kaykayyali/rootCA.pem on the
+        # homelab mkcert box.
         run: |
           set -euo pipefail
           sudo cp certs/rootCA.pem /usr/local/share/ca-certificates/homelab-rootCA.crt
@@ -72,6 +75,16 @@ jobs:
           sudo cp certs/rootCA.pem /etc/docker/certs.d/git.homelab.local/ca.crt
           echo "✓ CA installed in system + docker trust stores"
 
+      - name: Compute image tag
+        id: tag
+        # Gitea 1.25 doesn't support GitHub's ${VAR::N} string-slicing shorthand
+        # in expressions. Compute the short SHA via shell and emit as a step
+        # output, then reference it as ${{ steps.tag.outputs.short_sha }}.
+        run: |
+          SHORT_SHA="${GITHUB_SHA::7}"
+          echo "short_sha=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+          echo "✓ short SHA: ${SHORT_SHA}"
+
       - name: Login to Gitea container registry
         uses: docker/login-action@v3
         with:
@@ -86,7 +99,7 @@ jobs:
           push: true
           tags: |
             ${{ env.REGISTRY }}/${{ github.repository }}:latest
-            ${{ env.REGISTRY }}/${{ github.repository }}:${{ github.sha::7 }}
+            ${{ env.REGISTRY }}/${{ github.repository }}:${{ steps.tag.outputs.short_sha }}
 
       - name: Dispatch to orchestrator
         # Per the orchestrator's deploy.yaml contract:
@@ -105,7 +118,7 @@ jobs:
             echo "       and add it as DISPATCH_TOKEN in the repo's secrets."
             exit 1
           fi
-          SHORT_SHA="${GITHUB_SHA::7}"
+          SHORT_SHA="${{ steps.tag.outputs.short_sha }}"
           curl -sS -X POST \
             -H "Authorization: token ${DISPATCH_TOKEN}" \
             -H "Content-Type: application/json" \