Integrated build system

Releases so far have been managed by the separate Build Helpers project. That has proven to be unreliable:

• The host system needs to be set up just right
• Even though the build is make-based, it likes to redo steps and break things that rely on checksums
• It is not possible to integrate it into CI

So we need something new. Requirements:

• The entire build must be defined in the main source project. External references are fine, but they need to be pinned to specific revisions.
• The build needs to be largely independent of the host configuration.
• It needs to integrate with CI.
• It also needs to be testable locally without going mad, i.e. without requiring rebuilding all to test a deployment step.
• It needs to automatically deploy to launchpad files, our PPA and ZeroInstall

Choices: To allow local testing, the new system is also make based. To factor out host dependencies, all builds that are later released are done in Docker containers (a bootstrap build is done on the host). This keeps the CI yaml file reasonably simple, it just does some setup and delegates the core work to make. To allow automatic deployment, a custom own GitLab runner was set up that has the secrets required for deployment in its configuration; deployment jobs can only run on it and will only run on protected branches.