feat: add macOS arm64 act_runner and release build job

- Register Apple Silicon Mac as act_runner with label macos-arm64
- Add build-macos-arm64 job to Gitea Actions release pipeline
- Produces unsigned .dmg artifact for aarch64-apple-darwin
- Update CICD-Pipeline.md to reflect Gitea Actions agents

.gitea/workflows/release.yml

@@ -100,6 +100,42 @@ jobs:
               -F "attachment=@$f;filename=$(basename $f)" && echo "Uploaded $(basename $f)" || echo "Upload failed: $f"
           done
 
+  build-macos-arm64:
+    runs-on: macos-arm64
+    steps:
+      - name: Checkout
+        run: |
+          git init
+          git remote add origin http://172.0.0.29:3000/sarman/tftsr-devops_investigation.git
+          git fetch --depth=1 origin $GITHUB_SHA
+          git checkout FETCH_HEAD
+      - name: Build
+        env:
+          MACOSX_DEPLOYMENT_TARGET: "11.0"
+        run: |
+          npm ci --legacy-peer-deps
+          rustup target add aarch64-apple-darwin
+          cargo install tauri-cli --version "^2" --locked
+          CI=true cargo tauri build --target aarch64-apple-darwin
+      - name: Upload artifacts
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          API="http://172.0.0.29:3000/api/v1/repos/$GITHUB_REPOSITORY"
+          TAG="$GITHUB_REF_NAME"
+          curl -sf -X POST "$API/releases" \
+            -H "Authorization: token $RELEASE_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\":\"$TAG\",\"name\":\"TFTSR $TAG\",\"body\":\"Release $TAG\",\"draft\":false}" || true
+          RELEASE_ID=$(curl -sf "$API/releases/tags/$TAG" \
+            -H "Authorization: token $RELEASE_TOKEN" | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
+          echo "Release ID: $RELEASE_ID"
+          find src-tauri/target/aarch64-apple-darwin/release/bundle -name "*.dmg" | while read f; do
+            curl -sf -X POST "$API/releases/$RELEASE_ID/assets" \
+              -H "Authorization: token $RELEASE_TOKEN" \
+              -F "attachment=@$f;filename=$(basename $f)" && echo "Uploaded $(basename $f)" || echo "Upload failed: $f"
+          done
+
   build-linux-arm64:
     runs-on: linux-arm64
     container:

docs/wiki/CICD-Pipeline.md

@@ -13,13 +13,17 @@
 
 | Agent | Platform | Host | Purpose |
 |-------|----------|------|---------|
-| `woodpecker_agent` (Docker) | `linux/amd64` | 172.0.0.29 | Native x86_64 — test builds + amd64/windows release |
-| `woodpecker-agent` (systemd) | `linux/arm64` | sarman's local machine | Native aarch64 — arm64 release builds |
-| `woodpecker_agent_arm64` (Docker) | `linux/arm64` | 172.0.0.29 | QEMU fallback — kept as backup |
+| `gitea_act_runner_amd64` (Docker) | `linux-amd64` | 172.0.0.29 | Native x86_64 — test builds + amd64/windows release |
+| `act_runner` (systemd) | `linux-arm64` | 172.0.0.29 | Native aarch64 — arm64 release builds |
+| `act_runner` (launchd) | `macos-arm64` | sarman's local Mac | Native Apple Silicon — macOS `.dmg` release builds |
 
-Agent labels configured via `WOODPECKER_LABELS`:
-- Docker agents: `WOODPECKER_LABELS=platform=linux/amd64` (or arm64)
-- Local systemd agent: `~/.config/woodpecker-agent/config.env` → `WOODPECKER_LABELS=platform=linux/arm64`
+Agent labels configured in `~/.config/act_runner/config.yaml`:
+```yaml
+runner:
+  labels:
+    - "macos-arm64:host"
+```
+macOS runner runs jobs **directly on the host** (no Docker container) — macOS SDK cannot run in Docker.
 
 ---
 
@@ -61,21 +65,21 @@ steps:
 
 ---
 
-## Release Pipeline (`.woodpecker/release.yml`)
+## Release Pipeline (`.gitea/workflows/release.yml`)
 
 **Triggers:** Git tags matching `v*`
 
 ```
-Pipeline steps:
-  1. clone (amd64 workspace)  → alpine/git with explicit tag fetch + checkout
-  2. build-linux-amd64        → cargo tauri build (x86_64-unknown-linux-gnu)
-                                 → artifacts/linux-amd64/{.deb, .rpm, .AppImage}
-  3. build-windows-amd64      → cargo tauri build (x86_64-pc-windows-gnu)
-                                 → artifacts/windows-amd64/{.exe, .msi}
-  4. build-linux-arm64        → cargo tauri build (aarch64-unknown-linux-gnu)
-                                 → artifacts/linux-arm64/{.deb, .rpm, .AppImage}
-                                 → uploads arm64 artifacts inline to Gitea release
-  5. upload-release            → Create Gitea release + upload amd64 + windows artifacts
+Jobs (run in parallel):
+  build-linux-amd64   → cargo tauri build (x86_64-unknown-linux-gnu)
+                         → {.deb, .rpm, .AppImage} uploaded to Gitea release
+  build-windows-amd64 → cargo tauri build (x86_64-pc-windows-gnu) via mingw-w64
+                         → {.exe, .msi} uploaded to Gitea release
+  build-linux-arm64   → cargo tauri build (aarch64-unknown-linux-gnu)
+                         → {.deb, .rpm, .AppImage} uploaded to Gitea release
+  build-macos-arm64   → cargo tauri build (aarch64-apple-darwin) — runs on local Mac
+                         → {.dmg} uploaded to Gitea release
+                         → unsigned; users must right-click → Open to bypass Gatekeeper
 ```
 
 **Per-step agent routing (Woodpecker 2.x labels):**