Adopt commit-based container tags (#232)

## Summary
- Replace git-tag-triggered container builds with path-based triggers on main and workflow_dispatch
- Image tags now encode upstream app version + commit SHA (`vX.Y.Z-<sha>`) for full traceability
- Replace `container-tag-and-release` task with `container-build-and-release` (dispatches workflows via Forgejo API)
- Update dagger `publish()` to accept `commit_sha` parameter
- Update all docs and references to the new workflow

## Deployment and Testing
- [ ] Merge to main
- [ ] `mise run container-build-and-release <name>` for each container to populate new-format tags
- [ ] Verify tags in registry via `mise run container-list`
- [ ] Existing images untouched — old tags remain available

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/232

mise-tasks/container-list

@@ -52,10 +52,11 @@ for dir in "$CONTAINER_DIR"/*/; do
 done
 
 echo "---"
-echo "To release a new version:"
-echo "  mise run container-tag-and-release <container> <version>"
+echo "To trigger a build:"
+echo "  mise run container-build-and-release <container>"
 echo ""
-echo "One tag triggers all applicable workflows (dockerfile and/or nix)."
+echo "Dispatches both Dockerfile and Nix workflows (each skips if build file absent)."
+echo "Tags: vX.Y.Z-<sha> (Dockerfile), vX.Y.Z-<sha>-nix (Nix)"
 echo ""
 echo "Example:"
-echo "  mise run container-tag-and-release nettest v1.0.0"
+echo "  mise run container-build-and-release nettest"