fix: stop forcing Flux releases during deploy bootstrap

Remove the HelmRelease reset/force annotations from the deploy workflow now
that the cluster can converge on its own. The runtime waits remain, but CI no
longer re-triggers Rancher and NFS churn on every bootstrap attempt.

.gitea/workflows/deploy.yml

@@ -243,12 +243,6 @@ jobs:
                       namespace: external-secrets
           EOF
           # Wait for the storage layer and private access components
-          TS=$(date --iso-8601=seconds)
-          kubectl -n flux-system annotate helmrelease/nfs-subdir-external-provisioner \
-            reconcile.fluxcd.io/requestedAt="$TS" \
-            reconcile.fluxcd.io/resetAt="$TS" \
-            reconcile.fluxcd.io/forceAt="$TS" \
-            --overwrite || true
           kubectl -n flux-system wait --for=condition=Ready kustomization/addon-tailscale-operator --timeout=300s
           kubectl -n kube-system rollout status deployment/kube-system-nfs-subdir-external-provisioner --timeout=600s
           kubectl get storageclass flash-nfs
@@ -258,18 +252,6 @@ jobs:
           KUBECONFIG: outputs/kubeconfig
         run: |
           set -euo pipefail
-          TS=$(date --iso-8601=seconds)
-          kubectl -n flux-system annotate helmrelease/rancher \
-            reconcile.fluxcd.io/requestedAt="$TS" \
-            reconcile.fluxcd.io/resetAt="$TS" \
-            reconcile.fluxcd.io/forceAt="$TS" \
-            --overwrite || true
-          kubectl -n flux-system annotate helmrelease/rancher-backup \
-            reconcile.fluxcd.io/requestedAt="$TS" \
-            reconcile.fluxcd.io/resetAt="$TS" \
-            reconcile.fluxcd.io/forceAt="$TS" \
-            --overwrite || true
-
           echo "Waiting for Rancher..."
           kubectl -n cattle-system rollout status deployment/cattle-system-rancher --timeout=900s
           kubectl -n cattle-system rollout status deployment/rancher-webhook --timeout=900s