fix(scripts): publish.sh routes docker through sudo by default

Mirrors the SUDO=/NO_SUDO=1 pattern from scripts/dev.sh so the script
works on hosts where the user isn't in the docker group (the default
on this dev box). Without this, 'docker info' fails immediately even
though 'docker login' (which needs no daemon socket) succeeds, and
publish.sh aborts before doing anything.

Reminder text updated to tell operators to 'sudo docker login' (or to
opt into rootless docker via NO_SUDO=1).

scripts/publish.sh

@@ -16,9 +16,14 @@ Arguments:
 Environment:
   DOCKER_IMAGE_TAG     Alternative way to set the tag (overrides CLI argument).
   BUILD_ARGS           Extra arguments passed to each docker build command.
+  CM_IMAGE_PLATFORMS   Buildx platforms (default: linux/amd64).
+  NO_SUDO=1            Skip the 'sudo' prefix (use if your user is in the docker group).
 
-Make sure you are authenticated first:
+Authentication:
-  docker login gitea.04080616.xyz
+  The script invokes docker via sudo by default (matching scripts/dev.sh).
+  Authenticate as the same user that runs the build:
+    sudo docker login gitea.04080616.xyz       # default (sudo path)
+    docker login gitea.04080616.xyz            # only with NO_SUDO=1
 EOF
 }
 
@@ -27,14 +32,29 @@ if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
   exit 0
 fi
 
-if ! docker info >/dev/null 2>&1; then
+# Match scripts/dev.sh: prefix docker calls with sudo unless the user opts
-  echo "Docker daemon is not reachable. Please start Docker and retry." >&2
+# out via NO_SUDO=1 (typically because they're in the docker group).
+SUDO="sudo"
+[[ "${NO_SUDO:-0}" == "1" ]] && SUDO=""
+DOCKER=(${SUDO} docker)
+
+if ! "${DOCKER[@]}" info >/dev/null 2>&1; then
+  cat <<EOF >&2
+Docker daemon is not reachable as the current effective user.
+
+If you usually run docker via sudo (matching scripts/dev.sh), make sure
+your password is cached / interactive — try 'sudo -v' first, then rerun.
+
+If you've added yourself to the docker group, set NO_SUDO=1:
+  NO_SUDO=1 bash scripts/publish.sh ${1:-latest}
+EOF
   exit 1
 fi
 
-if ! docker system info --format '{{json .IndexServerAddress}}' | grep -q "gitea.04080616.xyz" 2>/dev/null; then
+if ! "${DOCKER[@]}" system info --format '{{json .IndexServerAddress}}' 2>/dev/null | grep -q "gitea.04080616.xyz"; then
-  cat <<'EOF' >&2
+  cat <<EOF >&2
-Reminder: run 'docker login gitea.04080616.xyz' before publishing so pushes succeed.
+Reminder: authenticate first as the same user that runs the build:
+  ${SUDO:+sudo }docker login gitea.04080616.xyz
 EOF
 fi
 
@@ -42,7 +62,7 @@ IMAGE_TAG="${1:-${DOCKER_IMAGE_TAG:-latest}}"
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 PLATFORMS="${CM_IMAGE_PLATFORMS:-linux/amd64}"
 
-if ! docker buildx version >/dev/null 2>&1; then
+if ! "${DOCKER[@]}" buildx version >/dev/null 2>&1; then
   cat <<'EOF' >&2
 Docker Buildx is required for producing registry-compatible images.
 Install/enable buildx and rerun, for example:
@@ -71,7 +91,7 @@ for ENTRY in "${SERVICES[@]}"; do
   IMAGE_NAME="${REGISTRY_PREFIX}/cm-${SERVICE}:${IMAGE_TAG}"
 
   echo "==> Building and pushing ${IMAGE_NAME} (${DOCKERFILE})"
-  docker buildx build ${BUILD_ARGS:-} \
+  "${DOCKER[@]}" buildx build ${BUILD_ARGS:-} \
     --platform "${PLATFORMS}" \
     -f "${ROOT_DIR}/${DOCKERFILE}" \
     -t "${IMAGE_NAME}" \