load android signing secrets from SOPS for local builds

Keystore is decoded into /dev/shm (tmpfs, RAM-only) during the build
and cleaned up on exit — never written to physical disk. ANDROID_KEYSTORE_PATH
is now required with no fallback; missing it fails loudly. Dagger CI path
updated to write to /tmp and set ANDROID_KEYSTORE_PATH accordingly.

Also fix check_ci_images.sh: filter out incomplete image tags ending in ':'
that arise from dynamic From("image:"+variable) concatenations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

android/app/build.gradle.kts

@@ -24,13 +24,11 @@ android {
 
     signingConfigs {
         create("release") {
-            // Hardcoded alias matching t.sh
             keyAlias = "upload"
-            // Use the same password for both key and keystore
             val pass = System.getenv("ANDROID_KEYSTORE_PASSWORD")
             storePassword = pass
             keyPassword = pass
-            storeFile = file("upload-keystore.jks")
+            storeFile = file(System.getenv("ANDROID_KEYSTORE_PATH") ?: error("ANDROID_KEYSTORE_PATH is not set"))
         }
     }
 
@@ -46,14 +44,7 @@ android {
 
     buildTypes {
         release {
-            // Use the signing config defined above for release builds.
-            // If the keystore file exists (e.g. in CI or manually placed), sign it.
-            signingConfig = if (signingConfigs.getByName("release").storeFile?.exists() == true) {
-                signingConfigs.getByName("release")
-            } else {
-                signingConfigs.getByName("debug")
-            }
-
+            signingConfig = signingConfigs.getByName("release")
             isMinifyEnabled = false
             isShrinkResources = false
             ndk {