fix(ci): tighten image publish gates

[JSONbored]

Summary

• Investigates and mitigates the failed publish job from the latest main CI run
• Prevents image publishing for test/workflow-only changes
• Keeps release XML/changelog merges eligible to publish release image tags

What changed

• Added a publish_related change-detection output separate from build_related
• Limited Docker image publishing to image/release-relevant changes instead of any build/test-related change
• Avoided full Docker integration/publish work for unit/template test-only changes
• Updated release image tag detection to use scripts/release.py find-release-target-commit, so merge commits can still publish *-aio.* tags
• Set publish checkout to fetch-depth: 0 so release target detection has the required history
• Added workflow regression checks for the new gating and release-tag behavior

Why

• The failed run built successfully and then hit a Docker Hub 400 Bad request while uploading a layer for jsonbored/dify-aio:latest
• That publish job should not have run for the previous workflow/test/changelog fix merge in the first place
• The previous release-tag check only worked when the release commit itself was HEAD, which does not hold for merge-commit PR merges

Validation

• .venv/bin/python -m pytest tests/unit tests/template
• .venv/bin/python scripts/validate-template.py --all
• .venv/bin/python scripts/generate_dify_template.py --check
• bash scripts/validate-derived-repo.sh .
• trunk check --show-existing --all
• git diff --check
• Ruby YAML parse for .github/workflows/build.yml

Notes

• The Docker Hub 400 itself appears registry-side or upload-session-specific; rerunning the old failed job may succeed, but this change avoids unnecessary publish attempts and fixes release-tag detection before the next release path run.