Modernize the release pipeline and fix multi-arch image publishing

[goccy]

Summary

Now that the SQL backend is pure Go, this reworks the release pipeline along the same lines as goccy/googlesqlite and goccy/tobari, and fixes the long-standing multi-arch container image problem using the approach from goccy/wasmify.

• release.yml — Replace svenstaro/upload-release-action (which only shipped two raw linux/amd64 + darwin/amd64 binaries) with GoReleaser. It now produces archives for darwin/linux/windows × amd64/arm64, deb/rpm/apk packages, and checksums.txt. Every artifact gets a signed GitHub build-provenance attestation via actions/attest-build-provenance.
• .goreleaser.yml (new) — GoReleaser config mirroring the tobari/wasmify setup: cgo-free build with main.version/main.revision injected via ldflags.
• build.yml — Fix multi-arch publishing. The old per-arch runner matrix (ubuntu-latest + ubuntu-24.04-arm) pushed both builds to the same tags, so the second run silently overwrote the first and the published image was never actually multi-arch. A single buildx invocation now emits one linux/amd64+linux/arm64 manifest. The image manifest is attested and the attestation pushed to GHCR (one digest → one attestation covers all tags).
• Dockerfile — Cross-compile the pure-Go binary from the build platform using the BuildKit platform args ($BUILDPLATFORM/$TARGETOS/$TARGETARCH), so multi-arch builds need no QEMU emulation.
• Makefile — Switch docker/build to buildx and add a docker/build/multiarch target.
• README.md — Document the multi-arch image and how to verify attestations with gh attestation verify.

Verification

• Cross-compiled successfully for linux/amd64, linux/arm64, darwin/arm64, windows/amd64.
• goreleaser check passes with no warnings.
• Workflow YAML validated.

Multi-arch Docker builds were not run locally (no buildx component on the dev machine); CI installs it via docker/setup-buildx-action.

🤖 Generated with Claude Code