ci(android): explicit apksigner step after Godot export

Godot 4.6 produces an unsigned APK in headless mode on this
runner — verified by apksigner: "DOES NOT VERIFY, Missing
META-INF/MANIFEST.MF". The internal sign step seems to bail
silently (likely because the apksigner subprocess can't locate
java without inheriting JAVA_HOME). The export step still
reports success.

Sign the APK ourselves after the export with the same debug
keystore the workflow provisions. Idempotent if Godot ever
starts signing again; mandatory until then.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/build.yml

@@ -188,6 +188,26 @@ jobs:
       - name: Export Android APK
         run: godot --headless --export-debug "AndroidDebug" "releases/android/Puzzle-Quest.apk"
 
+      - name: Sign + verify APK
+        run: |
+          set -euo pipefail
+          APK="releases/android/Puzzle-Quest.apk"
+          APKSIGNER="$ANDROID_HOME/build-tools/34.0.0/apksigner"
+          # Godot 4.6 sometimes ships an unsigned APK from the headless
+          # export (sign step skips silently when its internal apksigner
+          # call can't locate java). Re-sign unconditionally — idempotent
+          # if Godot did sign, and guarantees a valid APK if it didn't.
+          "$APKSIGNER" sign \
+            --ks /tmp/debug.keystore \
+            --ks-pass pass:android \
+            --ks-key-alias androiddebugkey \
+            --key-pass pass:android \
+            --v1-signing-enabled true \
+            --v2-signing-enabled true \
+            --v3-signing-enabled true \
+            "$APK"
+          "$APKSIGNER" verify --verbose "$APK"
+
       - name: Upload artifact
         uses: actions/upload-artifact@v3
         with: