fix: update release workflow and Dockerfile for CI

- Dockerfile: Use pre-built binaries instead of building from source
  (Alpine doesn't have zig for arm/v7)
- release.yml: Gate npm/AUR publish on repository variables
  (NPM_PUBLISH_ENABLED, AUR_PUBLISH_ENABLED)
- release.yml: Use NPM_TOKEN secret instead of OIDC
  (OIDC requires npm-side configuration)
- release.yml: Fix Docker tags for releases

Author: subtleGradient

.github/workflows/release.yml

@@ -8,7 +8,7 @@ on:
 permissions:
   contents: write
   packages: write
-  id-token: write  # Required for npm OIDC provenance
+  id-token: write  # Required for npm provenance
 
 env:
   REGISTRY: ghcr.io
@@ -116,12 +116,11 @@ jobs:
           retention-days: 1
 
   publish-npm:
-    name: Publish to npm (OIDC)
+    name: Publish to npm
     needs: assemble-npm
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write  # Required for npm OIDC publishing (no NPM_TOKEN needed)
+    # Only run if NPM_TOKEN secret is configured
+    if: ${{ vars.NPM_PUBLISH_ENABLED == 'true' }}
     steps:
       - uses: actions/checkout@v4
 
@@ -131,44 +130,29 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
-      - name: Upgrade npm for OIDC support
-        run: npm install -g npm@latest
-      
       - name: Download npm packages
         uses: actions/download-artifact@v4
         with:
           name: npm-packages
           path: packages/
 
-      - name: OIDC preflight - ensure no auth tokens
-        run: |
-          echo "=== OIDC Preflight ==="
-          # Remove any existing auth tokens to ensure OIDC is used
-          for npmrc in "$NPM_CONFIG_USERCONFIG" ~/.npmrc .npmrc; do
-            if [ -n "$npmrc" ] && [ -f "$npmrc" ]; then
-              echo "Cleaning $npmrc of any existing auth tokens..."
-              sed -i -E '/\/\/registry\.npmjs\.org\/:(_authToken|_auth)\s*=/d' "$npmrc" 2>/dev/null || true
-              sed -i -E '/^\s*(_authToken|_auth)\s*=/d' "$npmrc" 2>/dev/null || true
-            fi
-          done
-          
-          echo "Verifying npm registry connectivity..."
-          npm ping || exit 1
-          echo "Registry: $(npm config get registry)"
-      
-      - name: Publish platform packages with OIDC
+      - name: Publish platform packages
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           for pkg in packages/ansilust-*/; do
             if [ -f "$pkg/package.json" ]; then
               echo "Publishing $pkg..."
               cd "$pkg"
-              npm publish --provenance --access public
+              npm publish --provenance --access public || echo "Failed to publish $pkg (may already exist)"
               cd - > /dev/null
             fi
           done
       
-      - name: Publish meta package with OIDC
-        run: npm publish packages/ansilust/ --provenance --access public
+      - name: Publish meta package
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish packages/ansilust/ --provenance --access public || echo "Failed to publish meta package (may already exist)"
 
   create-release:
     name: Create GitHub release
@@ -231,7 +215,8 @@ jobs:
     name: Update AUR package
     needs: create-release
     runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/')
+    # Only run if AUR_SSH_KEY secret is configured
+    if: ${{ vars.AUR_PUBLISH_ENABLED == 'true' }}
     steps:
       - name: Extract version
         id: version
@@ -305,10 +290,9 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=ref,event=branch
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
       
       - name: Build and push
         uses: docker/build-push-action@v5

Dockerfile

@@ -1,28 +1,34 @@
 # Multi-stage build for minimal container image
-# This Dockerfile builds a minimal container with just the ansilust binary
-
-# Stage 1: Build (uses Zig to compile)
-FROM alpine:latest AS builder
-
-# Install Zig and dependencies
-RUN apk add --no-cache \
-    zig \
-    build-base \
-    git
-
-WORKDIR /src
-
-# Copy source code
-COPY . .
-
-# Build ansilust
-RUN zig build -Doptimize=ReleaseSafe
-
-# Stage 2: Runtime (minimal image with just the binary)
-FROM scratch
-
-# Copy only the binary from builder
-COPY --from=builder /src/zig-out/bin/ansilust /ansilust
+# Uses pre-built binaries from CI artifacts
+
+# We use alpine as base for the final image (for shell access if needed)
+# ARG is used to select the correct binary based on target platform
+ARG TARGETPLATFORM
+
+FROM alpine:latest
+
+# Install minimal runtime dependencies (if any needed in future)
+# Currently ansilust is statically linked, so none needed
+
+WORKDIR /
+
+# Copy the appropriate binary based on platform
+# The binaries are copied from artifacts/ which is populated by the CI download step
+# Platform mapping:
+#   linux/amd64  -> linux-x64-musl/ansilust
+#   linux/arm64  -> linux-arm64-musl/ansilust  
+#   linux/arm/v7 -> linux-arm-musl/ansilust
+COPY artifacts/ /artifacts/
+
+# Use shell to copy the correct binary based on TARGETPLATFORM
+RUN case "${TARGETPLATFORM}" in \
+      "linux/amd64")  cp /artifacts/linux-x64-musl/ansilust /ansilust ;; \
+      "linux/arm64")  cp /artifacts/linux-arm64-musl/ansilust /ansilust ;; \
+      "linux/arm/v7") cp /artifacts/linux-arm-musl/ansilust /ansilust ;; \
+      *) echo "Unsupported platform: ${TARGETPLATFORM}" && exit 1 ;; \
+    esac && \
+    chmod +x /ansilust && \
+    rm -rf /artifacts
 
 # Set entrypoint
 ENTRYPOINT ["/ansilust"]