dd4e2d4fa8
The Gitea Arch registry signs its DB + packages, so 'SigLevel = Optional TrustAll' fails non-interactively (pacman still needs the key to verify). Document the one-time pacman-key import instead; install is then signature-validated under pacman's default SigLevel (verified end-to-end: clean archlinux container -> repo sync -> install, 'Validated By: Signature'). Also cache /usr/local/cargo/git in arch.yml: the workspace pulls clients/windows' git-pinned windows-reactor/windows deps to resolve, cloning windows-rs (huge) every run otherwise — same registry+git cache deb.yml uses. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>