refactor(ci): inline publish steps, delete publish-repo.sh

Replace the monolithic publish-repo.sh with discrete workflow steps:
Sign RPMs, Set up SSH, Sync RPMs to repo, Update repo metadata.

Each step now has its own name in the CI UI, making failures
immediately identifiable. Removed 2>/dev/null from ssh-keyscan
which was silently hiding DNS resolution failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

script/publish-repo.sh

@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-RPM_DIR="${1%/}"
-: "${RPM_DIR:?usage: $0 <rpm-directory>}"
-: "${FEDORA_VERSION:?}"
-REMOTE_DIR="/var/www/rpm/fedora/${FEDORA_VERSION}/x86_64"
-
-# sign each rpm with the imported gpg key
-echo "--- rpmmacros ---"
-cat ~/.rpmmacros
-echo "--- macro check ---"
-rpm -E '%{_openpgp_sign_id}' || true
-rpm -E '%{_gpg_name}' || true
-echo "--- signing ---"
-for rpm in "${RPM_DIR}"/*.rpm; do
-    echo "signing ${rpm}..."
-    set +e
-    rpm --addsign "${rpm}" 2>&1
-    rc=$?
-    set -e
-    echo "exit code: ${rc}"
-    if [ "${rc}" -ne 0 ]; then
-        echo "failed to sign ${rpm}" >&2
-        exit 1
-    fi
-done
-
-echo "setting up ssh..."
-install --directory --mode 700 ~/.ssh
-echo "${RSYNC_SSH_KEY}" | install --mode 600 /dev/stdin ~/.ssh/id_ed25519
-ssh-keyscan -H oolon.kosherinata.internal > ~/.ssh/known_hosts 2>/dev/null
-
-echo "rsyncing to ${RSYNC_TARGET}:${REMOTE_DIR}/..."
-rsync \
-    --archive \
-    --verbose \
-    --chmod D755,F644 \
-    "${RPM_DIR}/"*.rpm \
-    "${RSYNC_TARGET}:${REMOTE_DIR}/"
-
-echo "updating repo metadata..."
-ssh "${RSYNC_TARGET}" "cd ${REMOTE_DIR} && createrepo_c --update ."
-
-echo "Published $(ls ${RPM_DIR}/*.rpm | wc -l) RPMs"