fix(ci): run factory tofu workflows on the CA-trusting runner

After the move to the self-signed internal DNS (gitea.arcodange.lab /
vault.arcodange.lab), the default `ubuntu-latest` runner image does not
trust the homelab CA, so the `uses:` clone of the vault-action over HTTPS
fails TLS verification. webapp's workflows already moved to the
`ubuntu-latest-ca` runner (whose image ships the homelab CA); apply the
same to the factory `iac` and `postgres` tofu workflows.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/iac.yaml

@@ -36,7 +36,7 @@ concurrency:
 jobs:
   gitea_vault_auth:
     name: Auth with gitea for vault
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     outputs:
       gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
     steps:
@@ -50,7 +50,7 @@ jobs:
     name: Tofu
     needs:
       - gitea_vault_auth
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}