Pushing per-hash tags accumulates multi-GB versions in the registry,
and package cleanup rules can't distinguish the hash tags that the
latest-{arch} tags currently point to from stale ones. Push only
latest-{arch} and record the Dockerfile hash as an image label; the
skip-rebuild check reads the label back via buildx imagetools.
apt.llvm.org has no repository for the current ubuntu:rolling release,
and nothing pins clang 20 - CC=clang already resolved to the distro
clang. Drop the llvm.sh step along with its helper packages.
docker build now runs under the buildx docker-container driver, which
keeps the result in the build cache unless told otherwise, so push
directly from the build instead of tagging locally.
Jobs run as root in the job container; the earlier permission errors
were SELinux denials on the mounted podman socket, fixed in the runner
config with --security-opt label=disable.
Gitea's ephemeral Actions token is not accepted by the container
registry, so docker login and image pulls use REGISTRY_USER /
REGISTRY_TOKEN secrets (a dedicated low-privilege account and its
personal access token with package read/write scope) instead.
Replace the Jenkinsfile with .gitea/workflows/ci.yml. The CI image is
built from the Dockerfile and pushed to the Gitea container registry,
rebuilt only when the Dockerfile or pre-commit config changes. The
aarch64 release build now runs natively on an arm64 runner instead of
cross-compiling, so the cross toolchain and qemu are dropped from the
image. Artifacts still go to MinIO (via mc, skipped gracefully if
credentials are not configured); ccache uses actions/cache instead of a
host volume.
andrew