* ci: split dev image build into a shared job
Extract the Docker build step into a dedicated `build` job so `quality`
and `tests` no longer each build the image independently. Both jobs now
load from the shared `devbuild` GHA cache scope and declare `needs: build`.
* ci: skip quality+tests on tag push, verify prior CI run instead
When tagging a commit that already passed CI on main, there is no need
to run quality and tests again. Both jobs now skip for tag refs.
A new `verify-prior-run` job runs instead: it queries the GitHub API for
a prior successful CI run on the same SHA (excluding the current run) and
fails fast if none is found, preventing deployment of untested tags.
`build-deploy` now uses `always() && !cancelled() && !failure()` so it
handles the mix of skipped (quality/tests) and successful (verify-prior-run)
needed jobs correctly.
* ci: bump GitHub Actions to Node.js 24 compatible versions
* ci: add Dependabot config for GitHub Actions version updates
* ci: pin all GitHub Actions to commit SHAs
* ci: disable credential persistence on all checkout steps