docs: add workflow trigger conventions reference

[DevSecNinja]

Why

We've converged on a consistent set of GitHub Actions trigger / concurrency / IRM patterns across truenas-apps and dotfiles. Without a written reference each new repo (or each future me) re-derives them — and gets the subtle traps wrong (event_name == 'push' silently skipping workflow_dispatch reruns; release: created not firing reliably from GitHub App tokens; etc.).

What

New page docs/workflow-trigger-conventions.md covering:

• Default trigger surface (pull_request-only for CI; when push: main is justified).
• Why we don't use pull_request_target casually.
• Concurrency: cancellable for PR-validation, non-cancellable for release/docs-publish; reusable workflows defer to caller.
• Why we don't gate on draft PRs (release-please opens drafts by design).
• Why we avoid path filters on required checks.
• notify-irm rules: gate on github.ref == 'refs/heads/main' only; do not also gate on github.event_name == 'push'; don't add to PR-only CI workflows.
• Release flow with release-please: draft-publish, tag-push trigger (NOT release: created), Immutable Releases compatibility.
• Quick-reference table for common workflow types.

Plus:

• README.md: new table row linking to the doc.
• docs/release-please-onboarding.md: cross-link in the release flow section.

Motivating PRs

• fix(release): trigger on tag push instead of release:created dotfiles#263 — switch release.yml from release: created to push: tags v*
• fix(release): notify IRM on workflow_dispatch reruns dotfiles#265, fix(ci): notify IRM on workflow_dispatch reruns truenas-apps#317 — drop event_name == 'push' gate from notify-irm
• ci: drop redundant push:main triggers from lint and test truenas-apps#325, ci: drop redundant push:main trigger and remove unreachable notify-irm dotfiles#266 — drop redundant push: main from PR-validation workflows