fix(release): harden publish artifact handoff

[f0rr0]

Summary

• Normalize downloaded WASIX AOT CI artifact envelopes before publish validation so release dry-runs can consume the current CI artifact layout.
• Add a release_commit workflow input for publish and publish-dry-run: it resolves a full SHA, requires it to be on current main, allows only release-tooling changes between the release commit and workflow commit, and uses the selected SHA for planning, CI gates, artifact downloads, publishing, and verification.
• Anchor release-please GitHub releases/tags to the selected release commit by creating a temporary target branch only when release_commit differs from the workflow commit.
• Remove the GitHub release asset overwrite switch; identical assets are skipped, but conflicting bytes now fail and require manual asset cleanup.
• Refresh derived release fingerprints/evidence required by the xtask asset handoff change.

Validation

• bash -n .github/scripts/resolve-release-head.sh .github/scripts/download-wasix-runtime-build-artifacts.sh .github/scripts/download-build-artifacts.sh .github/scripts/require-workflow-success.sh
• python3 -m py_compile tools/release/release.py tools/release/upload_github_release_assets.py tools/policy/check-release-policy.py tools/release/check_artifact_targets.py tools/release/check_release_metadata.py
• python3 tools/policy/check-release-policy.py
• tools/policy/check-workflows.sh
• python3 tools/release/check_artifact_targets.py
• bun tools/policy/assertions/assert-ci-workflows.mjs
• tools/release/release.py check
• tools/release/sync_release_pr.py --check
• resolver smoke tests for default, valid lagging release commit, and rejected non-tooling lagging release commit
• cargo test -p xtask
• git diff --check
• python3 tools/release/upload_github_release_assets.py --help
• python3 tools/release/release.py publish --help