ci: build & sign processgit-updater image paired with the main image

[rg4444]

ci: build & sign processgit-updater image paired with the main image

Extends the release workflow to also build a multi-arch Docker image for the updater sidecar (added in #128) on every semver tag push.

After this lands, every release publishes two signed images:

Image	Repository
Main app	ghcr.io/algomation-ai/processgit:VERSION
Updater sidecar (new)	ghcr.io/algomation-ai/processgit-updater:VERSION

Same machinery as the main image:

• Multi-arch buildx (linux/amd64 + linux/arm64)
• Separate GHA cache scope (type=gha,scope=updater) so updater builds don't evict main-image cache and vice versa
• Cosign keyless signing via OIDC + inline cosign verify smoke test
• Standard opencontainers labels
• Build args wire VERSION + COMMIT from the version-derivation step into the updater binary's main.version via -ldflags

Tag scheme

Identical to the main image:

• vX.Y.Z → :X.Y.Z (immutable) + :X.Y + :X + :latest on stable
• vX.Y.Z-rc1 → only :X.Y.Z-rc1

Verification

After a release:

docker pull ghcr.io/algomation-ai/processgit-updater:0.1.0

cosign verify ghcr.io/algomation-ai/processgit-updater:0.1.0 \
  --certificate-identity-regexp '^https://github.com/Algomation-AI/ProcessGit/\.github/workflows/release\.yml@.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

What this PR does NOT do

• Doesn't add the updater image to release.json. The current schema only describes the main image. Could be extended to a companion_images field later; out of scope here.
• Doesn't change the main-image build, signing, or tagging.
• Doesn't change deploy/docker-compose.yml. See the sibling PR for compose integration.

Validation

• YAML syntax of edited release.yml validated
• Manual review against GH Actions schema (network sandbox blocks actionlint install in dev env)
• Diff is purely additive: 4 new steps, no modification of existing steps