ci: add publish-arm64 flake app for local parity (emmett#44)

Introduce a shared publish-arm64 flake app (archetype oci-image-skopeo)
that builds the arm64 docker-archive via Nix and skopeo-copies it to the
Gitea OCI registry as :<ver>-arm64, mirroring to :latest-arm64. Both
.woodpecker.yaml and `nix run .#publish-arm64` invoke the same app so CI
and local cannot drift.

- dry-run by default; PUBLISH=1 to actually push (safe to run locally)
- token via $REGISTRY_TOKEN, fallback pass infra/gitea/personal_access_token_packages_rw
- token never printed; no set -x on token-bearing paths
- rename CI secret env CI_REGISTRY_TOKEN -> REGISTRY_TOKEN
- thin .woodpecker.yaml: one PUBLISH=1 nix run line
- --help/--dry-run honored; meta.description set

README.md

@@ -8,14 +8,31 @@ registry.
 ## Output
 
 | Tag | Pushed when |
-|---|---|
+| --- | --- |
 | `git.oleks.space/oleks/angie:<version>-arm64` | every successful CI run |
 | `git.oleks.space/oleks/angie:latest-arm64` | every successful CI run |
 
 The version string comes from `pkgs.angie.version` in nixpkgs unstable; bump
 the flake input to roll it forward.
 
-## Build locally
+## Build / publish locally
+
+CI and local runs share one entrypoint (emmett#44, archetype oci-image-skopeo):
+
+```bash
+# dry-run: build the arm64 image and print the refs it would push (no registry contact)
+nix run .#publish-arm64
+
+# actually push :<version>-arm64 and mirror to :latest-arm64
+PUBLISH=1 nix run .#publish-arm64
+```
+
+The registry token is read from `$REGISTRY_TOKEN`, falling back to
+`pass infra/gitea/personal_access_token_packages_rw`. The token is never
+printed. `.woodpecker.yaml` runs the exact same app with `PUBLISH=1`, so CI
+and local cannot drift.
+
+Just the raw build (no push):
 
 ```bash
 nix build .#default