gitea-actions: add ARM/Python CI deps and SSH bind-mount for submodule clones

- Containerfile.ci: add python3-yaml + python3-jinja2 and the
  gcc-arm-none-eabi / binutils / libnewlib toolchain for embedded builds
- bind-mount the runner's SSH key + known_hosts read-only into each job
  container at /root/.ssh so submodule clones over
  ssh://git@git.skudak.com:2222 succeed; staged as a dedicated
  container_file_t-labelled ci-ssh copy (tasks/user.yml) and allowlisted
  via valid_volumes (config.yaml.j2)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ansible/roles/gitea-actions/templates/config.yaml.j2

@@ -23,9 +23,16 @@ container:
   # per-job Go module/build caches and fixes cross-repo cache poisoning.
   network: host
   privileged: false
-  options:
+  # Bind-mount the runner's SSH material (key + known_hosts) read-only into
+  # every job container at /root/.ssh (CI image runs as root) so git submodule
+  # clones over ssh://git@git.skudak.com:2222 succeed. ci-ssh is a dedicated
+  # container_file_t-labelled copy staged in tasks/user.yml.
+  options: -v {{ gitea_runner_home }}/ci-ssh:/root/.ssh:ro
   workdir_parent:
-  valid_volumes: []
+  # act_runner gates host bind-mounts against this allowlist; the ci-ssh source
+  # path must be listed or the -v above is silently stripped from the job container.
+  valid_volumes:
+    - {{ gitea_runner_home }}/ci-ssh
   # Point act at the real rootless socket so it mounts the correct path into
   # job containers (the documented rootless-podman gotcha).
   docker_host: "unix:///run/user/{{ gitea_runner_uid }}/podman/podman.sock"