Verify release checkouts use tag commits

[gontzess]

Why

The release workflow accepts a tag input and then builds, signs, uploads, and records release metadata. The caller checkout should be tied directly to that tag so a release run cannot publish artifacts from one commit while labeling or recording them as another tag.

What this changes

• Checks out caller code from refs/tags/${{ inputs.tag }} in the binaries, Windows, Docker, and registry metadata jobs.
• Verifies each checked-out caller repository HEAD matches the tag target before continuing.
• Records the verified connector checkout commit SHA in the registry metadata instead of using github.sha.
• Documents the release source identity invariant in the release workflow docs.

This PR is stacked on #74 and should merge after it.

Validation

• Parsed .github/workflows/release.yaml with yq.
• Ran git diff --check.
• Verified all caller/connector release checkouts use refs/tags/${{ inputs.tag }}.
• Ran orch-cross-review focused on annotated/lightweight tags, cross-runner behavior, registry commit recording, and regressions; no blockers were reported.
• Ran a private connector release canary against this branch; the release completed successfully, including macOS, Windows, Docker, manifest publication, artifact verification, and registry recording jobs.