ci: extract GHCR image publish into manually-dispatchable workflow

[jimisola]

Summary

• New reusable workflow .github/workflows/publish-image.yml that publishes the reqstool image to GHCR for an explicit PyPI version.
• Supports both workflow_call (used from release_prod.yml) and workflow_dispatch (manual republish of any past version).
• release_prod.yml now calls this workflow on release events, passing github.event.release.tag_name as the version.
• Tag computation switched from github.ref parsing to inputs.version. The existing !startsWith(github.ref, 'refs/tags/v0.') guard for the bare-major tag never matched (this repo uses unprefixed tags like 0.9.0); replaced with !startsWith(inputs.version, '0.'), matching the original intent.

Motivation

0.9.0's image publish failed during the release run (stale Fastly cache in pip install --dry-run, fixed for future runs in #348). Neither re-run nor workflow_dispatch on the 0.9.0 tag can recover it:

• Re-run reuses prior run state / cached misses.
• workflow_dispatch on a tag uses the workflow file at that tag (still broken).
• workflow_dispatch on main after fix(ci): poll PyPI JSON API for availability check #348 produces wrong semver tags because github.ref is a branch.

A standalone input-driven workflow sidesteps all of these.

Test plan

• After merge, manually dispatch Publish image to GHCR with version: 0.9.0 and verify ghcr.io/reqstool/reqstool:0.9.0, :0.9, :0, :latest, :sha-<current> are pushed
• Verify the built image runs: docker run --rm ghcr.io/reqstool/reqstool:0.9.0 reqstool --version
• Next real release: confirm release_prod.yml → reusable publish-image.yml chain still runs end-to-end