CI/Docker: use SSL-free Nexus endpoints (mirror serves partial chain)

The HTTPS Nexus serves an incomplete cert chain that container trust stores
reject (NU1301 PartialChain / UNABLE_TO_GET_ISSUER), failing CI restore/install.
- NuGet has no strict-ssl flag → point CI + Dockerfile + compose at the plain-HTTP
  Nexus (http://171.22.25.73:8081, allowInsecureConnections) — no TLS, no cert check.
- npm: add --strict-ssl=false to the CI web-check install (Dockerfile already had it);
  Docker npm registry default also moved to the HTTP Nexus.
- ENV_FILE.example documents NUGET_INDEX/NPM_REGISTRY overrides.

Local dev (Windows trusts the cert) + image base pulls (Docker trusts it) are
unaffected — only in-container package feeds switch to HTTP.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/ci-cd.yml

@@ -37,7 +37,9 @@ jobs:
           <configuration>
             <packageSources>
               <clear />
-              <add key="nexus" value="https://mirror.soroushasadi.com/repository/nuget-group/index.json" protocolVersion="3" />
+              <!-- Plain-HTTP Nexus: the HTTPS mirror serves a partial cert chain that
+                   container trust stores can't validate (NU1301 PartialChain). HTTP = no SSL. -->
+              <add key="nexus" value="http://171.22.25.73:8081/repository/nuget-group/index.json" protocolVersion="3" allowInsecureConnections="true" />
             </packageSources>
             <config>
               <add key="http_retry_count" value="8" />
@@ -77,7 +79,7 @@ jobs:
           tar -xzf /tmp/repo.tar.gz --strip-components=1
 
       - name: Install
-        run: npm ci --legacy-peer-deps --registry https://mirror.soroushasadi.com/repository/npm-group/
+        run: npm ci --legacy-peer-deps --strict-ssl=false --registry https://mirror.soroushasadi.com/repository/npm-group/
 
       - name: TypeScript check
         run: npx tsc --noEmit