ci(release): build docker images on native arm64 runners

[vanducng]

Root cause

Run 24516158412 showed docker-images (full) and docker-images (latest) stalled for 6 hours before GHA cancelled them at the job timeout. The base (19 min) and otel (27 min) variants on the same workflow finished fine.

The bottleneck is QEMU emulating linux/arm64 on an amd64 runner. When ENABLE_PYTHON=true, the Alpine build layer runs pnpm + pip source-compiles pandas/numpy/lxml under QEMU — effectively single-threaded software emulation of a different ISA. This reliably hangs or takes 10× longer than native.

Fix

Replace the single cross-arch buildx job with a 2-stage pipeline:

Stage 1 — *-build (per-variant × per-arch, native runners)

• linux/amd64 jobs run on ubuntu-latest (existing free runner)
• linux/arm64 jobs run on ubuntu-24.04-arm (GitHub-hosted ARM runner, free for public repos)
• Each job builds a single-platform image and pushes it by content digest (no tags yet)
• Digest files uploaded as artifacts (digest-<variant>-<arch>)

Stage 2 — *-merge (per-variant, fuses digests into multi-arch manifest)

• Downloads per-arch digest artifacts
• Runs docker buildx imagetools create twice — once for GHCR tags, once for Docker Hub tags — using GHCR digests as the source (content-addressable, accepted by both registries)
• No QEMU, no emulation at any point

Same pattern applied to:

• release.yaml: docker-images → docker-images-build + docker-images-merge; docker-web → docker-web-build + docker-web-merge
• release-beta.yaml: docker-images → docker-images-build + docker-images-merge

notify-discord.needs updated to reference docker-images-merge and docker-web-merge.

Validation

• YAML syntax: validated with python3 yaml.safe_load (actionlint not installed locally — CI is the authoritative validator)
• Job key sets verified correct via Python
• No setup-qemu-action remaining in either file
• No combined linux/amd64,linux/arm64 platform lines remaining
• Tag shapes unchanged: :vX.Y.Z, :vX.Y.Z-full, :full, :latest, :beta, :beta-full, etc.
• Both GHCR and Docker Hub receive all tags via separate imagetools create invocations

Checklist

• No changes outside the two workflow files
• No Dockerfile or requirements-*.txt changes
• notify-discord needs updated
• fail-fast: false on all new matrices
• Cache scopes updated to include arch suffix (avoids cross-contamination)

[vanducng]

Superseded by #946, which combines this arm64 fix with a DRY refactor (composite action + reusable workflow). Fork-validated on both beta and stable paths.