CI: build without flatpak-builder to avoid bwrap/privileged requirement

flatpak-builder sandboxes each build command in bubblewrap, which needs
user namespaces / a privileged job container that Gitea act_runner does
not grant by default (bwrap: Creating new namespace failed).

Replace it with scripts/make-flatpak.sh, which uses flatpak
build-init/build-finish/build-export plus plain-shell extraction and the
get_python.sh bake. None of these use bwrap, so an unprivileged container
works. The flatpak-builder manifest stays as a documented alternative.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/build-flatpak.yml

@@ -28,7 +28,7 @@ jobs:
           apt-get update
           DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
             ca-certificates curl git jq xz-utils zstd binutils \
-            flatpak flatpak-builder
+            flatpak
 
       # Done as a plain git clone instead of actions/checkout@v4: the bare
       # ubuntu image has no Node.js, so JavaScript actions fail with exit 127.
@@ -97,14 +97,11 @@ jobs:
       - name: Build Flatpak into OSTree repo
         if: steps.check.outputs.build == 'true'
         run: |
-          flatpak-builder --disable-rofiles-fuse --force-clean \
-            --repo=repo --default-branch=stable \
-            build-dir org.o3de.O3DE.yaml
-          flatpak build-update-repo repo \
-            --title="O3DE (unofficial Flatpak)" \
-            --prune --prune-depth=1
+          # Bwrap-free build (no flatpak-builder) so no privileged container is needed.
+          chmod +x scripts/make-flatpak.sh
+          scripts/make-flatpak.sh
           # Free disk before publishing (the repo/ snapshot is all we still need).
-          rm -rf build-dir .flatpak-builder o3de.deb data
+          rm -rf build-dir o3de.deb data
 
       - name: Generate .flatpakrepo
         if: steps.check.outputs.build == 'true'