build: source ZDDC_SIGNING_KEY from ~/.config/zddc-signing/env

The Forgejo runner daemon (deploy-release.yml's host runner) starts
non-interactively and doesn't source ~/.bashrc, so the signing key
wasn't reaching ./build despite being available to interactive
shells. The 0.0.18 stable cut surfaced this — the runner re-cuts at
the tag and `sign_release_artifacts` failed with
"ZDDC_SIGNING_KEY is unset" on every stable tag push.

Match the ~/.bashrc auto-sourcing pattern used for
~/.config/{codeberg,forgejo,github}/env, but inside the build
script. Self-sufficient for any execution context: interactive
shell (already covered by bashrc), Forgejo runner (now covered),
cron, anything else.

Canonical operator setup (one-time):
  cat > ~/.config/zddc-signing/env <<EOF
  export ZDDC_SIGNING_KEY=/home/user/.config/zddc-signing/key.pem
  EOF
  chmod 600 ~/.config/zddc-signing/env

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

build

@@ -908,6 +908,15 @@ PIN_END
 # Sign artifacts + regenerate releases/index.html on stable cuts.
 # Beta cuts produce no public artifact, so nothing to sign or index.
 if [ "$RELEASE_CHANNEL" = "stable" ]; then
+    # Source ZDDC_SIGNING_KEY from ~/.config/zddc-signing/env if it
+    # isn't already in env. Mirrors ~/.bashrc's auto-sourcing pattern
+    # for ~/.config/{codeberg,forgejo,github}/env, but inside the
+    # build script so non-interactive callers (Forgejo runner daemon,
+    # cron, etc.) pick it up without needing systemd EnvironmentFile
+    # or workflow yaml.
+    if [ -z "${ZDDC_SIGNING_KEY:-}" ] && [ -f "$HOME/.config/zddc-signing/env" ]; then
+        . "$HOME/.config/zddc-signing/env"
+    fi
     echo ""
     echo "=== Signing release artifacts ==="
     sign_release_artifacts "$RELEASES_DIR"