security(release): rotate compromised F-Droid repo key; keep key out of served tree

The F-Droid repo signing key (keystore.p12) and its config.yml — including
the keystore passwords in cleartext — were publicly downloadable at
apps.dev.jeanlucmakiola.de/dev/fdroid/ because the release workflow uploaded
the entire fdroid/ working dir into the web-served path. The webserver has
since been locked down to repo/ only; this rotates the now-compromised key
and removes the root cause.

- release.yaml: restore the repo key + config from new CI secrets
  (FDROID_KEYSTORE_BASE64, FDROID_CONFIG_BASE64) instead of the box; upload
  ONLY repo/ so the key never re-enters the served tree.
- release.yaml: fail loudly when the repo key secrets are unset, replacing
  `fdroid update --create-key`, which silently minted a NEW repo key on a
  wiped server and would have broken every user's pinned fingerprint.
- README: publish the new repo fingerprint (C2C0…3425). Existing users must
  remove and re-add the repo.
- .gitignore: ignore *.p12 and the whole /fdroid/ working dir.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitignore

@@ -40,6 +40,7 @@ captures/
 # Keystore files
 *.jks
 *.keystore
+*.p12
 /key.properties
 
 # Google Services (e.g. APIs or Firebase)
@@ -50,8 +51,7 @@ google-services.json
 Thumbs.db
 
 # F-Droid local artifacts (the pipeline generates them in CI)
-fdroid/repo/
-fdroid/keystore.p12
+/fdroid/
 
 # KSP
 .ksp/