fix(ci): fix systemd smoke test for cgroups v2

GitHub Actions runners use cgroups v2 which requires:
- --cgroupns=host for systemd to access cgroup hierarchy
- :rw cgroup mount (not :ro) for systemd to manage cgroups

Also adds better debugging:
- Check if container exits unexpectedly
- Show container status on failure
- Attempt systemctl status inside container
- Increase timeout to 90s for systemd boot time

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: pRizz

.github/workflows/docker-publish.yml

@@ -69,19 +69,37 @@ jobs:
       - name: Smoke test - verify container starts and becomes healthy
         run: |
           echo "Starting container for smoke test..."
+          # Note: systemd in containers requires:
+          # - --privileged OR specific capabilities
+          # - --cgroupns=host for cgroups v2 (GitHub Actions runners)
+          # - rw cgroup mount for systemd to manage cgroups
           docker run -d \
             --name smoke-test \
             --privileged \
-            --cap-add SYS_ADMIN \
+            --cgroupns=host \
             --tmpfs /run \
             --tmpfs /tmp \
-            -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
+            -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
             -p 3000:3000 \
             -e USE_SYSTEMD=1 \
             ${{ env.IMAGE_NAME_GHCR }}:test
 
-          echo "Waiting for container to become healthy (max 60 seconds)..."
-          for i in {1..60}; do
+          echo "Container started, checking status..."
+          docker ps -a --filter name=smoke-test
+
+          echo "Waiting for container to become healthy (max 90 seconds)..."
+          for i in {1..90}; do
+            # Check if container is still running
+            if ! docker ps --filter name=smoke-test --filter status=running -q | grep -q .; then
+              echo "✗ Container exited unexpectedly"
+              echo "Container status:"
+              docker ps -a --filter name=smoke-test
+              echo "Container logs:"
+              docker logs smoke-test 2>&1 || echo "(no logs)"
+              docker rm smoke-test || true
+              exit 1
+            fi
+
             if curl -sf http://localhost:3000/health > /dev/null 2>&1; then
               echo "✓ Container is healthy after ${i} seconds"
               docker logs smoke-test --tail 20
@@ -92,9 +110,13 @@ jobs:
             sleep 1
           done
 
-          echo "✗ Container failed to become healthy within 60 seconds"
+          echo "✗ Container failed to become healthy within 90 seconds"
+          echo "Container status:"
+          docker ps -a --filter name=smoke-test
           echo "Container logs:"
-          docker logs smoke-test
+          docker logs smoke-test 2>&1 || echo "(no logs)"
+          echo "Checking systemd status inside container:"
+          docker exec smoke-test systemctl status || echo "(systemctl failed)"
           docker stop smoke-test || true
           docker rm smoke-test || true
           exit 1