ci(release): fix goreleaser pipeline and enable fork-friendly releases

[warku123]

What does this PR do?

Fixes three inter-related issues in the goreleaser release pipeline so that pushing a v* tag produces a complete, correctly signed GitHub Release — binary tarballs, checksums, cosign signatures — and gracefully skips optional distribution channels (Docker Hub, Homebrew tap) when the required secrets are absent.

Background / motivation: A stable upstream release is a hard prerequisite for the system-test integration work tracked in #170. Once this PR merges and a tag is cut, stest-up.sh can download trond from the official tronprotocol/tron-deployment releases instead of a fork, giving the java-tron CI a stable, versioned artefact to depend on.

Changes:

1. Dockerfile.release — add ARG TARGETPLATFORM and change the COPY line to COPY $TARGETPLATFORM/trond /usr/local/bin/trond. GoReleaser's dockers_v2 block places each platform binary at linux/amd64/trond / linux/arm64/trond in the build context; without this change the docker build fails with "/trond": not found.

2. .goreleaser.yaml:

   • Add token: "{{ .Env.HOMEBREW_TAP_TOKEN }}" to brews.repository so goreleaser uses the dedicated tap token rather than the repo-scoped GITHUB_TOKEN (which cannot push to a different repository).
   • Add release: draft: false / prerelease: auto block to make pre-release detection explicit.

3. .github/workflows/release.yml:

   • Hoist DOCKERHUB_USERNAME and HOMEBREW_TAP_TOKEN to the job-level env: block — secrets are not accessible in step-level if: expressions, but job-level env: values are.
   • Guard QEMU and Buildx setup steps with if: env.DOCKERHUB_USERNAME != '' so forks without Docker Hub credentials skip those steps instead of erroring.
   • Add a "Compute GoReleaser skip flags" step that auto-builds --skip=docker and/or --skip=homebrew when the corresponding secrets are absent, so the binary tarball + GitHub Release always succeed regardless of which optional secrets are configured.

Why are these changes required?

The previous pipeline failed on every tag push: the docker step crashed ("/trond": not found), and the skip logic was absent so the homebrew push would also fail on forks. Together these blocked the GitHub Release from being created at all. Forks/contributors wanting to cut a release need to produce binary tarballs and a signed checksums file without requiring Docker Hub or Homebrew secrets.

This PR has been tested by:

• Local goreleaser release --snapshot --clean --skip=sign — confirmed 4 platform binaries built, both linux/amd64 and linux/arm64 docker images produced.
• Tag v0.1.2-rc.1 pushed to the fork (warku123/tron-deployment) — full CI release run succeeded; GitHub Release created with tarballs, checksums.txt, .sig, and .pem artefacts.

Checklist

• Single module — CI/release pipeline only; no business logic touched
• No java.lang.Math or Maths — N/A (Go/YAML changes only)
• No floating-point in consensus code — N/A
• No System.out.println or leftover TODOs
• Complex logic has comments — skip-flag computation step is commented inline

Follow up

Before release:

1. Cut first stable tag (v0.1.2 or similar) after this merges so downstream consumers get a real releases/latest entry — pre-release tags are excluded from the GitHub API releases/latest response.

After release:
2. Switch stest-up.sh default from warku123/tron-deployment to tronprotocol/tron-deployment once an upstream release is published (tracked in #170).
3. Embed stest HOCON template into trond (follow-on to #170) so the intent YAML can reference the built-in system-test network config without carrying the file separately.
4. Add Docker Hub / Homebrew Tap secrets to the tronprotocol org if those distribution channels are desired — no code changes required, secrets alone unlock them.

Related PR: #170 feat(config): add system-test as fourth embedded HOCON network template