CI: build without flatpak-builder to avoid bwrap/privileged requirement

flatpak-builder sandboxes each build command in bubblewrap, which needs
user namespaces / a privileged job container that Gitea act_runner does
not grant by default (bwrap: Creating new namespace failed).

Replace it with scripts/make-flatpak.sh, which uses flatpak
build-init/build-finish/build-export plus plain-shell extraction and the
get_python.sh bake. None of these use bwrap, so an unprivileged container
works. The flatpak-builder manifest stays as a documented alternative.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

README.md

@@ -42,12 +42,13 @@ flatpak update org.o3de.O3DE
 
 | File | Purpose |
 | --- | --- |
-| `org.o3de.O3DE.yaml` | `flatpak-builder` manifest. Unpacks the official `o3de_*.deb` into `/app` and wires up a launcher. |
+| `scripts/make-flatpak.sh` | **The build.** Unpacks the official `o3de_*.deb` into `/app`, bakes in Python, and exports an OSTree repo using `flatpak build-init`/`build-finish`/`build-export` — no `flatpak-builder`, no bubblewrap, no privileged container. |
 | `o3de-wrapper.sh` | Entry point. Finds the versioned `o3de` Project Manager binary inside the sandbox and sets `LD_LIBRARY_PATH`. |
 | `org.o3de.O3DE.desktop` | Desktop entry under the Flatpak app-id. |
 | `org.o3de.O3DE.metainfo.xml` | AppStream metadata (version stamped at build time). |
 | `scripts/get-latest-version.sh` | Resolves the latest `.deb` URL, version, and SHA-256 from o3debinaries.org. |
-| `scripts/build.sh` | Build + test the Flatpak locally. |
+| `scripts/build.sh` | Download + build + test the Flatpak locally (wraps `make-flatpak.sh`). |
+| `org.o3de.O3DE.yaml` | Equivalent `flatpak-builder` manifest — kept as an **alternative** for builders that have a privileged/bwrap-capable environment. Not used by CI. |
 | `.gitea/workflows/build-flatpak.yml` | CI: detect new version → build → publish to `pages` → tag `vX.Y.Z`. |
 
 The engine ships as a Debian package at a predictable URL
@@ -66,10 +67,9 @@ The workflow targets a **self-hosted `act_runner`**. Because O3DE is large:
   size (extracted payload in `build-dir` + a copy committed into the OSTree
   `repo/`). The job deletes `build-dir` before publishing to cut peak usage, but
   it can still be tight. If builds fail on space, that's the first thing to check.
-- **Privileged container:** Flatpak's sandbox (bubblewrap) needs it. The job sets
-  `options: --privileged`; your runner's `config.yaml` must allow privileged
-  containers (or run jobs in host mode with `flatpak`/`flatpak-builder` installed
-  on the host).
+- **No privileged container required.** The build avoids `flatpak-builder`/bwrap
+  and uses `flatpak build-init`/`build-finish`/`build-export`, which only touch
+  files and the OSTree repo. A plain unprivileged job container works.
 - **Runner label:** the job uses `runs-on: ubuntu-latest`. Change it if your
   runner is registered with a different label.
 - **Token:** publishing force-pushes the `pages` branch and creates a `vX.Y.Z`
@@ -87,14 +87,16 @@ the upstream version has no matching `vX.Y.Z` tag yet, so reruns are cheap no-op
 ## Building locally
 
 ```sh
-sudo apt install flatpak flatpak-builder      # or your distro's equivalent
+sudo apt install flatpak      # or your distro's equivalent
 ./scripts/build.sh
 ```
 
-Test without installing:
+Then install from the local `repo/` and run:
 
 ```sh
-flatpak-builder --run build-dir org.o3de.O3DE.yaml o3de-wrapper.sh
+flatpak remote-add --user --no-gpg-verify o3de-local repo
+flatpak install --user o3de-local org.o3de.O3DE
+flatpak run org.o3de.O3DE
 ```
 
 ---