ci: re-enable ECR push for duckgres-worker and duckgres-controlplane CDs

[fuziontech]

Summary

Reverts the GHCR-only workaround from #507 now that the ECR repos exist.
Verified via the apply log: "Apply complete! Resources: 6 added, 0 changed, 0 destroyed." (2 ECR repos + 2 lifecycle policies + 2 cross-account aws_ecr_repository_policy entries).

Changes

In both .github/workflows/container-image-worker-cd.yml and container-image-controlplane-cd.yml:

• Restored ECR_REGISTRY: xxx.dkr.ecr.us-east-1.amazonaws.com in the env: block.
• Restored aws-actions/configure-aws-credentials + amazon-ecr-login steps in both the build and manifest jobs.
• Restored ECR tags in the docker/build-push-action tags: lists so per-arch images push to both ECR and GHCR.
• Restored ECR docker buildx imagetools create calls in manifest assembly.
• Worker workflow's "Tag default version as and latest" step retags both ECR and GHCR.
• Stripped the temporary "ECR push is intentionally disabled" notes from both file headers.

Test plan

• YAML parses for both files
• Diff against pre-fix(ci): repair main — driver registration, GORM column name, missing ECR repos #507 state confirms exact restoration of the working configuration
• Once landed, the next push to main runs both CDs with ECR push enabled — should be green now that the repos exist

🤖 Generated with Claude Code