Add manual workflow_dispatch for branch Docker image builds

[Copilot]

• Explored existing docker.yaml workflow to understand build process
• Created .github/workflows/docker-branch.yaml for manual workflow_dispatch builds
• Reject latest and stable reserved tags
• Validate Docker tag constraints (charset, length 1-128, no leading/trailing separators)
• Use printf instead of echo to safely write VERSION

[Copilot]

Pull request overview

Adds a new manually triggered GitHub Actions workflow to build and publish multi-arch Docker images from arbitrary branches using a user-supplied tag, without creating a GitHub Release or automatically tagging latest.

Changes:

• Introduces .github/workflows/docker-branch.yaml with a workflow_dispatch input (tag) to drive branch image builds.
• Reuses the existing Docker build tooling/actions and multi-platform configuration to push ngrok/ngrok-operator:<tag>.
• Applies reduced workflow permissions (contents: read) and a repository guard to limit where the workflow runs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jonstacks]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Done in commit 711bfc5. Both review items are addressed:

1. Reserved tags — latest and stable are now explicitly rejected before any other checks.
2. Docker tag constraints + safe VERSION write — the validation now checks tag length (1–128), allows only [a-zA-Z0-9_.-], rejects leading ./- and trailing ./- via an anchored regex (^[a-zA-Z0-9_]([a-zA-Z0-9_.-]*[a-zA-Z0-9_])?$), and printf '%s' is used instead of echo to write VERSION safely.