Improve Docker CI for PRs and add manual release workflow

Refactor the Docker image workflow to better support pull requests,
forks, and multi-architecture builds.

Changes:
- add pull_request support for Docker image builds
- refactor duplicated amd64/arm64 jobs into a matrix build
- keep DockerHub login/push disabled for PR builds
- keep manifest creation only for non-PR builds
- derive image namespace from DOCKERHUB_NAMESPACE or repository owner
- add Grype scanning for the base image
- upload SARIF results only for non-PR builds
- print scan SARIF in PR builds instead of uploading it
- keep the existing per-arch slim image flow
- add Buildx cache configuration

Also add a separate manual Release workflow that:
- takes an explicit VERSION input
- creates and pushes a lightweight git tag
- creates the GitHub release
- dispatches the Docker workflow for that tag via workflow_dispatch

This keeps PR behavior fork-friendly, adds image vulnerability scanning,
and makes releases explicit without requiring Gradle or computed versioning.

Author: wborn

.github/release.yml

@@ -0,0 +1,17 @@
+changelog:
+  categories:
+    - title: 🎉 New features
+      labels:
+        - Feature
+    - title: ⭐ Enhancements
+      labels:
+        - Enhancement
+    - title: 🐞 Bug fixes
+      labels:
+        - Bug
+    - title: 📝 Documentation
+      labels:
+        - Documentation
+    - title: Other changes
+      labels:
+        - "*"