ci: add Arch Linux pacman build and hide upload URL

- Add pacman target to electron-builder Linux build
- Upload .pacman packages to release
- FORGEJO_UPLOAD now uses repository secret

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/release.yml

@@ -9,8 +9,8 @@ on:
 env:
   # Domain for small API calls (goes through Cloudflare - fine for <100MB)
   FORGEJO_API: https://git.sanhost.net/api/v1
-  # Direct to Forgejo port (bypasses Cloudflare + Traefik for large uploads)
+  # Direct upload URL (bypasses Cloudflare for large files) - set in repo secrets
-  FORGEJO_UPLOAD: http://208.69.78.130:3001/api/v1
+  FORGEJO_UPLOAD: ${{ secrets.FORGEJO_UPLOAD_URL }}
 
 jobs:
   create-release:
@@ -107,13 +107,13 @@ jobs:
       - run: npm ci
 
       - name: Build Linux Packages
-        run: npx electron-builder --linux AppImage deb rpm --publish never
+        run: npx electron-builder --linux AppImage deb rpm pacman --publish never
 
       - name: Upload to Release
         run: |
           RELEASE_ID=$(curl -s "${FORGEJO_API}/repos/${GITHUB_REPOSITORY}/releases/tags/${{ github.ref_name }}" \
             -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" | python3 -c 'import sys,json; print(json.load(sys.stdin)["id"])')
-          for file in dist/*.AppImage dist/*.AppImage.blockmap dist/*.deb dist/*.rpm dist/latest-linux.yml; do
+          for file in dist/*.AppImage dist/*.AppImage.blockmap dist/*.deb dist/*.rpm dist/*.pacman dist/latest-linux.yml; do
             [ -f "$file" ] || continue
             echo "Uploading $file..."
             curl -s --max-time 600 -X POST "${FORGEJO_UPLOAD}/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=$(basename $file)" \