fix: harden release scripts with shared library and validation

[adwk67]

Summary

• Extract duplicated logic from 5 release scripts into a shared release/lib.sh (validation, helpers, iteration, verification)
• Fix 13 issues identified during release-script audit (see table below)
• Add verify_release pre-commit checks (8 verification types) to catch release transformation errors before committing

#	Finding	Fix
1	Partial failure with no recovery	PR branch resume, idempotent changelog, no-diff re-runs
3	-w not validated	validate_what() in lib.sh, all 5 scripts
4	Tag/branch format validation inconsistent	Shared validate_tag() / validate_release(), consistent regex
5	Inconsistent dependency checks	check_build_dependencies() vs check_basic_dependencies()
6	Branch-existence grep is loose	ls-remote --heads (no local refs); anchored regex fallback
7	git commit -sam captures unintended files	Explicit git add in create-rc for products and operators
8	No dirty-index check	require_clean_worktree in lib.sh, called in 3 functions
10	cd without return / cwd drift	All per-repo functions wrapped in subshells (...)
12	check_tag_is_valid implicit cwd	Takes explicit repo_dir parameter; all callers updated
13	Stale branch lists in tag script	ls-remote --heads replaces fetch + local branch inspection
15	Minor inconsistencies	REPOSITORY→REMOTE, usage strings, validate_tag in merge-rc
17	create-release-branch ignores existing	warn_if_branch_exists + check_existing_branches
18	libgit2 dynamic linking	LIBGIT2_NO_PKG_CONFIG=1 in create-rc
19	git fetch destroys local tags	All fetch+inspect replaced with git ls-remote

Test plan

• Dry-run of fictional 26.3.1 patch release across docker-images, airflow-operator, and commons-operator
• Run twice without cleanup to confirm idempotency (second run produces no new commits)
• verify_release passes all 8 check types across all 3 repos in both runs
• Review lib.sh shared functions for correctness
• Confirm shellcheck passes on all scripts

🤖 Generated with Claude Code