ci: add cross-platform release workflow and Docker build

[appcypher]

Summary

• Add a new two-stage release workflow that builds libkrunfw for Linux and macOS across x86_64 and aarch64
• Replace krunvm-based macOS build scripts with a Docker-based approach using Fedora containers
• Disable all upstream CI workflows (commented out for reference) since we don't need SEV, TDX, or riscv64 for microsandbox
• Release artifacts are bare library files with arch-differentiated names for direct download by microsandbox's build.rs

Changes

• Added .github/workflows/release.yml: two-stage pipeline triggered on GitHub release publish. Linux runners (ubuntu-latest, ubuntu-24.04-arm) build the kernel and .so natively, then pass kernel.c as a job artifact to macOS runners (macos-latest, macos-13) for .dylib compilation. Versions are extracted from the Makefile at CI time.
• Commented out all 6 existing workflow files (build-aarch64, build-x86_64, build-sev, build-tdx, cross-build-riscv64, publish-release) to disable them while preserving for reference
• Added build_in_docker.sh: replaces build_on_krunvm.sh for local macOS builds. Runs kernel compilation in a Fedora Docker container with bind-mounted source directory.
• Deleted build_on_krunvm.sh, build_on_krunvm_fedora.sh, build_on_krunvm_debian.sh
• Updated Makefile Darwin code path to call build_in_docker.sh instead of build_on_krunvm.sh
• Added *.dylib to .gitignore
• Added plan.md documenting the release workflow design and architecture decisions

Test Plan

• Verified local macOS build works: make successfully builds kernel in Docker and produces libkrunfw.5.dylib
• Create a test GitHub release to verify the release workflow runs and uploads all 4 artifacts (libkrunfw-linux-x86_64.so, libkrunfw-linux-aarch64.so, libkrunfw-macos-aarch64.dylib, libkrunfw-macos-x86_64.dylib)
• Verify disabled workflows no longer trigger on PRs