refactor(ci): unify RPM build pipeline via rpm.yaml

[samchu-zsl]

Description

Unifies the RPM build pipeline by introducing a single reusable workflow (.github/workflows/rpm.yaml) that is shared between the nightly (docker-nightly.yaml) and tag-driven release (release.yaml) flows. The pipeline handles source/vendor packaging and per-arch RPM construction in one place, replacing the previous three-way split (_rpm-build.yaml + inline packaging in nightly + inline packaging in release). On top of the refactor, this PR also resolves a few accumulated CI issues: the (409) Conflict on artifact uploads during a release run, a sec-core source selection that went stale whenever development moved between main and the release branch, and several tokenless RPM packaging bugs.

Related Issue

no-issue: internal CI reliability / refactor work; no user-facing ticket.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• cosh (copilot-shell)
• sec-core (agent-sec-core)
• skill (os-skills)
• sight (agentsight)
• tokenless (tokenless)
• Multiple / Project-wide

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For cosh: Lint passes, type check passes, and tests pass
• For sec-core (Rust): cargo clippy -- -D warnings and cargo fmt --check pass
• For sec-core (Python): Ruff format and pytest pass
• For skill: Skill directory structure is valid and shell scripts pass syntax check
• For sight: cargo clippy -- -D warnings and cargo fmt --check pass
• For tokenless: cargo clippy -- -D warnings and cargo fmt --check pass
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

Additional Notes

Key behavioural changes reviewers should scrutinise:

1. Nightly schedule moves from 0 16 * * * (Beijing 00:00) to 0 20 * * * (Beijing 04:00).
2. sec-core source selection is no longer "always the latest release branch". detect-sec-core now compares the last-touched commit time under src/agent-sec-core/ between release/sec-core/v* and main, and picks whichever is newer. This matches the fluid branch management reality for sec-core.
3. ws-ckpt is removed from the nightly pipeline and marked TODO alongside agentsight until its integration lands.
4. release.yaml no longer runs package-source/package-vendor itself. All artifacts (source tarball, vendor tarball, per-arch RPMs) are produced by rpm.yaml and consumed by the publish job from the same workflow run. The previous archive-sha256 cross-job checksum check was removed because same-run artifacts are implicitly trusted.
5. src/tokenless/tokenless.spec.in:
   • BuildRequires: cargo and rust >= 1.86 are commented out; the CI environment provides these directly, and local builders must install them manually.
   • %setup -q -n tokenless → %setup -q, so the macro expands to the default %{name}-%{version}, matching the tarball produced by package-source.
   • cargo build ... toon ... || true loses the || true fallback; the toon submodule build is now a hard requirement (Rust 1.93 in CI satisfies it).

Rollback is a straight revert of the single commit; changes are isolated to CI/workflow files and one RPM spec.

[samchu-zsl]

Caution

This PR was generated and submitted by AI.
Please review all changes carefully before merging. Pay special attention to logic correctness, edge cases, and potential side effects.

[samchu-zsl]

Manually tested in the fork repository; docker-nightly, rpm-build, and release all succeeded.

[kongche-jbw]

The only remaining point to align on : whether ws-ckpt should be included in the nightly Docker pipeline？ws-ckpt has been removed from the current Nightly image build pipeline.

[samchu-zsl]

The only remaining point to align on : whether ws-ckpt should be included in the nightly Docker pipeline？ws-ckpt has been removed from the current Nightly image build pipeline.

The ws-ckpt RPM package cannot be installed in Docker containers because its installation process requires modprobe. Tracked in Issue #501.