Enforce GHCR release tag immutability safeguards

[mark-e-deyoung]

Summary

Implements release tag immutability safeguards for GHCR publish flow (issue #21).

What changed

• Added scripts/release-tag-immutability.sh:
  • resolve-existing <image_ref> resolves existing tag digest (empty when tag missing)
  • evaluate <image_ref> <existing_digest> <candidate_digest> enforces:
    • allow when tag missing
    • allow when digest is identical (idempotent re-run)
    • fail on digest mismatch by default
    • allow with explicit override SUPRAGOFLOW_ALLOW_TAG_OVERWRITE=true
• Updated release workflow to:
  • build/push temporary tags first
  • resolve existing release-tag digest
  • enforce immutability check before assigning release tags
  • assign release tags via docker buildx imagetools create only after check passes
• Added tests: scripts/test-release-tag-immutability.sh
• Wired test into ./scripts/gg self-test
• Updated docs/policy:
  • POLICY.md release tag immutability + explicit override note
  • README.md canonical releases note
• Tightened policy conformance check to require immutability policy statement.

Validation

• ./scripts/test-release-tag-immutability.sh
• ./scripts/check-policy-conformance.sh
• ./scripts/gg self-test
• ./scripts/gg lint
• ./scripts/gg test

Closes #21