Fix Forgejo workflows for the actual server capabilities

- package.yml: use correct Arch registry upload (octet-stream + binary body
  + PUT /api/packages/Breadway/arch/os), drop --privileged, remove
  actions/checkout (archlinux image has no Node) in favour of a manual
  shell clone, use the built-in Actions token instead of a stored secret,
  and --nocheck (tests belong in CI, not packaging)
- mirror.yml: clone --mirror + explicit refs/heads + refs/tags push with
  --prune, instead of pushing refs/remotes pollution from a checkout
- pacman.conf: correct Server URL to the Forgejo Arch registry format

Requires only the GITHUB_MIRROR_TOKEN secret (GitHub PAT, repo scope) for
the mirror job; package publishing uses the automatic per-run token.

iso/pacman.conf

@@ -30,10 +30,12 @@ Include = /etc/pacman.d/mirrorlist
 # bread ecosystem packages (bread, breadbar, breadbox, breadcrumbs, breadpad,
 # bos-settings).
 #
-# Packages are published here by the Forgejo Actions package.yml workflow
-# in each repo. See git.breadway.dev/api/packages/breadway/arch for the
-# package registry.
+# Packages are published to the Forgejo Arch registry (group "os") by the
+# .forgejo/workflows/package.yml workflow in each repo, on tag push.
+#
+# TODO: packages are currently unsigned (TrustAll). For production, sign
+# them in CI with a GPG key and switch to SigLevel = Required.
 # -----------------------------------------------------------------------
 [breadway]
 SigLevel = Optional TrustAll
-Server = https://git.breadway.dev/api/packages/breadway/arch/breadway/$arch
+Server = https://git.breadway.dev/api/packages/Breadway/arch/os/$arch