fix(ci): eliminate git tag race condition with dedicated set-git-tag job

[tehw0lf]

Summary

• Multiple publishing workflows (publish-docker-image, publish-npm-libraries, publish-python-libraries, release-github) were all setting the same git tag in parallel, causing TOCTOU failures when two jobs passed the ls-remote check simultaneously but only one could push
• Extracts tag creation into a single new reusable workflow set-git-tag.yml, called as a dedicated set_git_tag job in build-test-publish.yml after security_scan_artifacts and before all publishing jobs
• All publishing jobs now declare set_git_tag in their needs, so the tag is guaranteed to exist (or already existed) by the time any publisher runs
• No changes to calling repos required — the fix is entirely internal to this workflow repository

Test plan

• Trigger a push on a repo that uses both docker and npm publishing — verify both complete without tag conflict errors
• Verify set_git_tag job appears in the workflow run graph between security_scan_artifacts and the publishing jobs
• Verify that re-running a failed publisher no longer fails on the tag push (tag already exists → warning, continues)