Implement GPG signing process and refactor plugin manifest handling

[sethwv]

This pull request refactors the plugin publishing pipeline to simplify artifact management, improve manifest generation, and add optional GPG signing for manifests. The changes consolidate all plugin ZIPs and manifests under a single zips/ directory (removing releases/ and metadata/), introduce a robust GPG signing workflow, and streamline metadata handling for plugins and the root manifest.

Key changes include:

Artifact and Directory Structure Refactor

• All plugin ZIPs and manifest files are now stored under zips/<plugin>/, replacing the previous releases/ and metadata/ directories. This affects all scripts that read or write plugin artifacts and metadata. [1] [2] [3] [4] [5] [6] [7] [8]
• Per-version metadata is now written to a temporary build directory (BUILD_META_DIR) and only used within the CI run, reducing clutter in the repository. [1] [2] [3]

Manifest Generation and Metadata Handling

• The manifest generation script (generate-manifest.sh) now prefers fresh metadata from the current build, falling back to existing per-plugin manifests if needed. [1] [2]
• The manifest structure is streamlined: some fields (like unlisted, min_dispatcharr_version, max_dispatcharr_version) are removed from the top-level manifest, and the latest version's metadata is included in a latest field. [1] [2] [3]
• Unlisted plugins are now excluded from manifests.

GPG Signing Support

• Adds a new script (generate-signing-key.sh) to generate a GPG Ed25519 signing key for manifest signing, with clear instructions for storing keys and passphrases as secrets.
• The manifest generation script can now sign manifests with a GPG private key if provided (GPG_PRIVATE_KEY/GPG_PASSPHRASE), embedding the armored signature in the manifest JSON. If signing fails, all signatures are stripped to avoid partial signing. [1] [2]
• A public key file (dispatcharr-plugins.pub) is added for use by consumers to verify signatures.

Cleanup and Maintenance

• The cleanup script now only manages ZIP files in zips/ and prunes old versions, removing references to orphaned metadata files.
• README generation for plugins is updated to use the new zips/ directory.

---

Most important changes:

Artifact and Directory Structure

• Consolidated all plugin ZIPs and manifests under zips/<plugin>/, removing releases/ and metadata/ directories and updating all related scripts. [1] [2] [3] [4] [5] [6] [7] [8]
• Per-version metadata is now written to a temporary build directory (BUILD_META_DIR) for use during CI runs only. [1] [2] [3]

Manifest Generation and Metadata

• Manifest generation now uses fresh build metadata when available, falls back to existing manifests, and excludes unlisted plugins from output. [1] [2]
• Manifest structure is simplified, with some fields removed and latest version metadata included in a latest field. [1] [2] [3]

GPG Signing Support

• Added generate-signing-key.sh for GPG Ed25519 key generation, and support for signing manifests with GPG keys in the publishing workflow. [1] [2] [3]
• Added the public key dispatcharr-plugins.pub for consumers to verify manifest signatures.

Cleanup and Maintenance

• Cleanup script updated to operate only on ZIPs in zips/, removing orphaned metadata handling.
• README generation script now writes to zips/<plugin>/README.md.