feat: use skopeo instead of docker for image push

Replace docker load + docker push with skopeo copy to push OCI
images directly to the registry. Benefits:
- No Docker daemon required in runner
- More secure (no socket mounting needed)
- Simpler - direct OCI tarball to registry copy
- Works in any environment with skopeo

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docker-build-nix/action.yaml

@@ -80,24 +80,14 @@ runs:
           echo "Warning: Failed to push to Attic cache, continuing anyway"
         fi
 
-    - name: Load image into Docker
+    - name: Push image to registry with skopeo
       shell: bash
       run: |
-        echo "Loading OCI image into Docker..."
+        TARGET_IMAGE="docker://${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}"
-        docker load < ./result
+        echo "Pushing OCI image to: $TARGET_IMAGE"
 
-    - name: Tag and push to registry
+        # Use skopeo to push directly from OCI tarball to registry
-      shell: bash
+        skopeo copy \
-      run: |
+          --dest-creds "${{ inputs.registry-username }}:${{ inputs.registry-password }}" \
-        # Extract image name from the loaded output
+          "docker-archive:./result" \
-        IMAGE_ID=$(docker images --format "{{.Repository}}:{{.Tag}}" | head -n1)
+          "$TARGET_IMAGE"
-        echo "Loaded image: $IMAGE_ID"
-
-        # Tag with target name
-        TARGET_IMAGE="${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}"
-        echo "Tagging as: $TARGET_IMAGE"
-        docker tag "$IMAGE_ID" "$TARGET_IMAGE"
-
-        # Login and push
-        echo "${{ inputs.registry-password }}" | docker login ${{ inputs.registry }} -u ${{ inputs.registry-username }} --password-stdin
-        docker push "$TARGET_IMAGE"