fix: fixed build stages and docker images. Docker image is now sleeker. The pulbish build should now have less garbage

.gitea/workflows/docker-publish.yml

@@ -73,10 +73,30 @@ jobs:
           username: ${{ gitea.actor }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
+      # Build a single-arch image locally so Trivy can inspect it before the real push.
+      - name: Build local image for scanning
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: final
+          platforms: linux/amd64
+          load: true
+          tags: scan-target:${{ inputs.tag }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ gitea.repository }}:buildcache
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: scan-target:${{ inputs.tag }}
+          format: table
+          exit-code: '1'
+          severity: CRITICAL,HIGH
+
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           context: .
+          target: final
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}