fix(ci/docker): pre-download artifacts before build, remove --secret

The Dockerfile's --mount=type=secret path was corrupting the SA key JSON
due to control character handling differences. Pre-download soul + El SDK
in the CI workflow (using already-authenticated gcloud) and COPY them from
the build context. No credentials needed inside the Docker build.

.gitea/workflows/deploy-gke.yaml

@@ -46,8 +46,7 @@ jobs:
         run: |
           apt-get update -qq
           apt-get install -y --no-install-recommends \
-            ca-certificates curl apt-transport-https kubectl \
-            docker-buildx-plugin
+            ca-certificates curl apt-transport-https kubectl
           echo "deb [trusted=yes] https://packages.cloud.google.com/apt cloud-sdk main" \
             > /etc/apt/sources.list.d/google-cloud-sdk.list
           apt-get update -qq && apt-get install -y google-cloud-cli google-cloud-cli-gke-gcloud-auth-plugin
@@ -109,6 +108,66 @@ jobs:
           echo "slot=${SLOT}" >> "$GITEA_OUTPUT"
           echo "  Deploying to slot: ${SLOT}"
 
+      - name: Prepare build artifacts
+        run: |
+          # Pre-download soul binary and El SDK so the Dockerfile can COPY them
+          # from the build context instead of authenticating inside the build.
+          mkdir -p build-artifacts
+
+          # ── soul binary ────────────────────────────────────────────────────────
+          # ci.yaml publishes the soul binary to foundation-prod on every push.
+          # Download the latest version (the one just built by ci.yaml).
+          SOUL_VER=$(gcloud artifacts versions list \
+            --repository=foundation-prod \
+            --location=us-central1 \
+            --project=neuron-785695 \
+            --package=neuron-soul \
+            --sort-by="~createTime" \
+            --limit=1 \
+            --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}')
+          echo "Downloading neuron-soul@${SOUL_VER}"
+          gcloud artifacts generic download \
+            --repository=foundation-prod \
+            --location=us-central1 \
+            --project=neuron-785695 \
+            --package=neuron-soul \
+            --version="${SOUL_VER}" \
+            --destination=build-artifacts/
+          mv build-artifacts/neuron* build-artifacts/neuron 2>/dev/null || true
+          chmod +x build-artifacts/neuron
+
+          # ── El SDK (for engram source compilation inside the build) ────────────
+          ELC_VER=$(gcloud artifacts versions list \
+            --repository=foundation-prod --location=us-central1 --project=neuron-785695 \
+            --package=el-elc --sort-by="~createTime" --limit=1 \
+            --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}')
+          gcloud artifacts generic download \
+            --repository=foundation-prod --location=us-central1 --project=neuron-785695 \
+            --package=el-elc --version="${ELC_VER}" --destination=build-artifacts/
+          mv build-artifacts/elc* build-artifacts/elc 2>/dev/null || true
+          chmod +x build-artifacts/elc
+
+          RC_VER=$(gcloud artifacts versions list \
+            --repository=foundation-prod --location=us-central1 --project=neuron-785695 \
+            --package=el-runtime-c --sort-by="~createTime" --limit=1 \
+            --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}')
+          gcloud artifacts generic download \
+            --repository=foundation-prod --location=us-central1 --project=neuron-785695 \
+            --package=el-runtime-c --version="${RC_VER}" --destination=build-artifacts/
+          mv build-artifacts/el_runtime.c* build-artifacts/el_runtime.c 2>/dev/null || true
+
+          RH_VER=$(gcloud artifacts versions list \
+            --repository=foundation-prod --location=us-central1 --project=neuron-785695 \
+            --package=el-runtime-h --sort-by="~createTime" --limit=1 \
+            --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}')
+          gcloud artifacts generic download \
+            --repository=foundation-prod --location=us-central1 --project=neuron-785695 \
+            --package=el-runtime-h --version="${RH_VER}" --destination=build-artifacts/
+          mv build-artifacts/el_runtime.h* build-artifacts/el_runtime.h 2>/dev/null || true
+
+          echo "Build artifacts ready:"
+          ls -lh build-artifacts/
+
       - name: Clone engram source for Docker build context
         run: |
           # The Dockerfile builds engram from source (no published AR package).
@@ -119,17 +178,13 @@ jobs:
           echo "Engram source ready at ./engram/src/server.el"
 
       - name: Build and push Docker image
-        env:
-          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
-          DOCKER_BUILDKIT: "1"
         run: |
           IMAGE="${{ steps.vars.outputs.image }}"
-          SHA="${{ steps.vars.outputs.sha }}"
 
           echo "Building ${IMAGE}..."
+          # No --secret needed: artifacts are pre-downloaded into build-artifacts/
+          # and the Dockerfile uses COPY to include them.
           docker build \
-            --build-arg SOUL_VERSION="${SHA}" \
-            --secret id=gcp_sa_key,env=GCP_SA_KEY \
             --tag "${IMAGE}" \
             --tag "us-central1-docker.pkg.dev/neuron-785695/neuron-api/neuron-soul:latest" \
             .