ci: fix Trust step crash in sh — replace pipefail with POSIX set -eu

Gitea act runner v0.6.1 ignores `shell: bash` step overrides and always
executes with `sh -e {0}`. The `set -euo pipefail` on line 2 caused sh to
exit immediately with "Illegal option -o pipefail" before any curl/openssl
ran. Replace with POSIX-compatible `set -eu` in both api-build and
admin-api-build trust steps so the diagnostic curl output is finally visible.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/ci-cd.yml

@@ -82,10 +82,10 @@ jobs:
 
       - name: Trust Nexus mirror CA (diagnostic)
         # Verbose / fail-fast version to expose exactly where the chain trust breaks.
-        # shell: bash required — Gitea act runner defaults to sh, which lacks pipefail.
-        shell: bash
+        # Gitea act runner v0.6.1 ignores shell: overrides and always uses sh.
+        # Use set -eu (POSIX) — pipefail is bash-only and crashes sh on line 1.
         run: |
-          set -euo pipefail
+          set -eu
           echo "=== OS / OpenSSL info ==="
           cat /etc/os-release | head -4 || true
           openssl version || true
@@ -171,8 +171,9 @@ jobs:
 
       - name: Trust Nexus mirror CA (diagnostic)
         # Same verbose/fail-fast step as api-build — see that job for full comments.
+        # Gitea act runner v0.6.1 ignores shell: overrides; use POSIX set -eu.
         run: |
-          set -euo pipefail
+          set -eu
           curl -v --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der 2>&1
           echo "File size: $(wc -c < /tmp/isrg-root-yr.der) bytes"
           openssl x509 -inform DER -in /tmp/isrg-root-yr.der \