Add commit-based container tagging prereq to harden-zot-registry chain (#230)

## Summary

- New Mikado card: `adopt-commit-based-container-tags` — replaces git-tag-triggered container builds with path-based main-branch triggers and manual workflow dispatch
- Image tags become `vX.Y.Z-<sha>` (with `-main` suffix for main branch builds, `-nix` for Nix builds), tying versions to the actual bundled app version and exact source commit
- `container-tag-and-release` mise task to be renamed to `container-build-and-release`, triggering workflow dispatch with the current HEAD SHA
- Added as soft prereq to `harden-zot-registry` Mikado chain

## Test plan

- [x] Pre-commit hooks pass (docs-check-index, docs-check-links, etc.)
- [ ] Review card content for completeness

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/230

docs/how-to/zot/harden-zot-registry.md

@@ -6,6 +6,7 @@ requires:
   - register-zot-oidc-client
   - wire-ci-registry-auth
   - enforce-tag-immutability
+  - adopt-commit-based-container-tags
 tags:
   - how-to
   - zot
@@ -56,4 +57,5 @@ Update `ansible/roles/zot/templates/config.json.j2` to add:
 - [[register-zot-oidc-client]] — Prereq: register OIDC client in Authentik
 - [[wire-ci-registry-auth]] — Prereq: update CI push paths with credentials
 - [[enforce-tag-immutability]] — Prereq: prevent version tag overwrites
+- [[adopt-commit-based-container-tags]] — Prereq: commit-SHA-based image tags
 - [[agent-change-process]] — C2 methodology