ci: decouple android release attach, add workflow_dispatch to release.yml

build-android.yml
- Attach step upserts the Gitea release: GET /releases/tags/<TAG>, and
  POST to create it on 404 instead of warning-and-skipping. Removes the
  ordering dependency on release.yml's create-release job — the Android
  workflow can now own its own release attachment end-to-end.
- Fail loudly on broken DEPLOY_TOKEN: curl -f on every asset call so
  403/422 surface as job failures instead of "Uploaded" lies, and an
  explicit check that the token is non-empty before starting.
- Preserve the pre-existing replace-on-re-run behavior for idempotent
  asset uploads.

release.yml
- Add workflow_dispatch trigger with optional `version` input so the
  Windows/Linux/Docker builds can be exercised on demand between real
  releases (was tag-push only).
- Gate create-release on github.event_name == 'push' so a manual
  dispatch doesn't create a stray Gitea release.
- Each build job gets `if: !cancelled() && (needs.create-release.result
  in (success, skipped))` so dispatch runs still produce artifacts even
  though create-release was skipped.
- Gate each "Attach * to release" step on github.event_name == 'push'.
- Docker: login + push are push-only; build runs on both triggers so
  dispatch validates the Dockerfile without needing registry creds.

.gitea/workflows/build-android.yml

@@ -159,7 +159,7 @@ jobs:
           path: ${{ steps.apk.outputs.path }}
           retention-days: 90
 
-      - name: Attach APK to Gitea release
+      - name: Attach APK to Gitea release (upsert)
         if: ${{ steps.label.outputs.is_release == 'true' }}
         env:
           GITEA_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
@@ -170,25 +170,61 @@ jobs:
           APK_PATH="${{ steps.apk.outputs.path }}"
           APK_NAME="${{ steps.apk.outputs.name }}"
 
-          # Fetch release by tag (created by release.yml `create-release` job)
-          RELEASE_ID=$(curl -s "$BASE_URL/releases/tags/$TAG" \
-            -H "Authorization: token $GITEA_TOKEN" \
-            | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))")
-          if [ -z "$RELEASE_ID" ]; then
-            echo "::warning::No release found for tag $TAG — skipping asset upload"
-            exit 0
+          if [ -z "${GITEA_TOKEN:-}" ]; then
+            echo "::error::DEPLOY_TOKEN secret not configured — cannot attach APK"
+            exit 1
           fi
 
-          # Replace existing asset if present (re-run safety)
-          EXISTING_ID=$(curl -s "$BASE_URL/releases/$RELEASE_ID/assets" \
+          # Upsert: look up release by tag. If it exists, reuse it; if 404,
+          # create one. Makes the Android workflow self-sufficient — no
+          # ordering dependency on release.yml's create-release job.
+          HTTP=$(curl -s -o /tmp/release.json -w "%{http_code}" \
+            "$BASE_URL/releases/tags/$TAG" \
+            -H "Authorization: token $GITEA_TOKEN")
+          case "$HTTP" in
+            200)
+              RELEASE_ID=$(python3 -c "import json; print(json.load(open('/tmp/release.json'))['id'])")
+              echo "Found existing release id=$RELEASE_ID"
+              ;;
+            404)
+              echo "No release for tag $TAG — creating one"
+              IS_PRE="false"
+              if echo "$TAG" | grep -qE '(alpha|beta|rc)'; then
+                IS_PRE="true"
+              fi
+              CREATE_HTTP=$(curl -s -o /tmp/created.json -w "%{http_code}" \
+                -X POST "$BASE_URL/releases" \
+                -H "Authorization: token $GITEA_TOKEN" \
+                -H "Content-Type: application/json" \
+                -d "{\"tag_name\":\"$TAG\",\"name\":\"LedGrab $TAG\",\"draft\":false,\"prerelease\":$IS_PRE}")
+              if [ "$CREATE_HTTP" != "201" ] && [ "$CREATE_HTTP" != "200" ]; then
+                echo "::error::Failed to create release (HTTP $CREATE_HTTP)"
+                cat /tmp/created.json
+                exit 1
+              fi
+              RELEASE_ID=$(python3 -c "import json; print(json.load(open('/tmp/created.json'))['id'])")
+              echo "Created release id=$RELEASE_ID"
+              ;;
+            *)
+              echo "::error::Unexpected HTTP $HTTP when looking up release for tag $TAG"
+              cat /tmp/release.json
+              exit 1
+              ;;
+          esac
+
+          # Replace existing asset if present (re-run safety).
+          EXISTING_ID=$(curl -fsS "$BASE_URL/releases/$RELEASE_ID/assets" \
             -H "Authorization: token $GITEA_TOKEN" \
-            | python3 -c "import sys,json; assets=json.load(sys.stdin); print(next((str(a['id']) for a in assets if a['name']=='$APK_NAME'),''))" 2>/dev/null)
+            | python3 -c "import sys,json; assets=json.load(sys.stdin); print(next((str(a['id']) for a in assets if a['name']=='$APK_NAME'),''))")
           if [ -n "$EXISTING_ID" ]; then
-            curl -s -X DELETE "$BASE_URL/releases/$RELEASE_ID/assets/$EXISTING_ID" \
+            curl -fsS -X DELETE "$BASE_URL/releases/$RELEASE_ID/assets/$EXISTING_ID" \
               -H "Authorization: token $GITEA_TOKEN"
+            echo "Replaced existing asset: $APK_NAME"
           fi
 
-          curl -s -X POST \
+          # -f: exit non-zero on 4xx/5xx so a broken token fails the job
+          # loudly instead of the previous silent "Uploaded" lie.
+          curl -fsS -X POST \
             "$BASE_URL/releases/$RELEASE_ID/assets?name=$APK_NAME" \
             -H "Authorization: token $GITEA_TOKEN" \
             -H "Content-Type: application/octet-stream" \