publish workflow: add :release auto-tag + workflow_dispatch rollback input

[ehsan6sha]

Part of Plan B v2.1 (production consolidation). Plan file at E:\fxblox\plans\plan-B-production-consolidation.md in the fula-ota workspace.

Summary

Two related changes to .github/workflows/docker-build-publish.yml:

1. :release as the production-default tag on main pushes.
   The fula-ota plugin compose defaults to ${BLOX_AI_IMAGE_TAG:-release}; without this tag, fresh installs hit Docker Hub 404.

2. workflow_dispatch input extra_tag to mint immutable rollback tags from a chosen ref (e.g. rollback-2026-05-26). Lets us publish a stable rollback target that mutable tags cannot accidentally move.

The previous :test raw-tag alias is dropped — :release is the single production tag and canary devices pin by sha256 digest, not by tag (per the planned D4 canary design).

Safety preconditions for :release = :main

These are documented in the plan and need to be in place before / alongside this merge:

• main is branch-protected (PR + review + green CI required) — manual GitHub UI step
• immutable rollback-2026-05-26 tag exists as fallback — minted via gh workflow run docker-build-publish.yml -f extra_tag=rollback-2026-05-26 after this PR merges
• canary devices pin to an immutable sha256 digest during the D4 observation window

Test plan

• PR CI green (workflow YAML syntax)
• After merge: main push triggers CI, publishes :main and :release from the same build
• docker buildx imagetools inspect functionland/blox-ai:release --format '{{json .Manifest.Digest}}' returns a valid sha256
• Same digest for :main and :release (auto-alias works)
• gh workflow run docker-build-publish.yml --ref main -f extra_tag=rollback-2026-05-26 publishes the rollback tag with the same digest

Co-Authored-By: Claude Opus 4.7 noreply@anthropic.com