Improve GitHub Actions workflows security and performance

[paskal]

Summary

• Separate Docker build/push into dedicated docker.yml triggered after backend tests pass via workflow_run
• Simplify ci-build.yml to PR-only validation (removes push triggers, production builds moved to docker.yml)
• Migrate ci-site.yml to native ARM64 runners with build matrix → manifest merge → deploy pattern
• Upgrade actions/checkout to v6 with persist-credentials: false across all workflows for improved security
• Add explicit permissions: contents: read to all jobs (principle of least privilege)
• Upgrade golangci-lint-action to v9
• Use GHA cache instead of local cache for Docker builds
• Add concurrency groups to prevent redundant workflow runs

[github-actions]

size-limit report 📦

Path	Size
public/embed.mjs	2.03 KB (0%)
public/remark.mjs	73.91 KB (0%)
public/remark.css	8.26 KB (-0.02% 🔽)
public/last-comments.mjs	36.16 KB (-0.01% 🔽)
public/last-comments.css	3.75 KB (0%)
public/deleteme.mjs	12.45 KB (0%)
public/counter.mjs	751 B (0%)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.88%. Comparing base (658bf30) to head (9730b83).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1977      +/-   ##
==========================================
+ Coverage   62.19%   64.88%   +2.69%     
==========================================
  Files         132      140       +8     
  Lines        3026     3258     +232     
  Branches      764      822      +58     
==========================================
+ Hits         1882     2114     +232     
  Misses       1140     1140              
  Partials        4        4              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.