feat(release): incremental combos — skip unchanged via a content-hash tag

[elronbandel]

What

Stop rebuilding the ~12,800 combos+standalones every release. Add a content-hash skip on the existing buildx bake — no account, no SaaS, no Dockerfile rewrite (git + buildx + bash).

How

• containers/scripts/combo-src-hash.sh — a combo's hash = its build source (the two Dockerfiles + runner/ + entrypoint/ + the bake graph) folded with the manifest digest of every base it's FROM (benchmark, agent, gosu, otel, process-compose, model).
  • Identical hash → skip.
  • A changed base → new parent digest → new hash → rebuild. That's the cascade, for free — a base rebuild ripples into every combo on top of it.
• combos job — compute the hash; under skip_published, skip if evals/<b>--<a>:src-<hash> already exists; stamp that tag on a successful build so the next run skips this exact source.

Why a tag, not a label

docker buildx imagetools inspect --format '{{.Config.Labels…}}' fails on multi-arch images — verified on both the manifest list and the per-arch sub-manifest (can't evaluate field Config). Tag-existence checks work cleanly, so the hash lives in a :src-<hash> tag (the ko / content-addressed-tag pattern).

Verified

• Logic, two ways: tests/build/hash-cascade.sweep.sh + a Rust wrapper (combo_src_hash_cascade, no docker → runs every cargo test) assert the hash is deterministic, cascades over all 6 parents, and is source-sensitive. Both pass locally.
• Lint: shellcheck (scripts + the workflow bash), actionlint, cargo fmt — all green.
• The live combos-job wiring (digest reads + skip-check) is exercised by a dry_run dispatch on this branch.

Follow-ups (not in this PR)

• Staleness gate (the feat(release): end-of-run fleet inventory report (completeness + freshness) #233 report made enforcing) — the one DIY risk is hash completeness; a gate catches any missed input.
• :src-* tag GC — each source version leaves a hash-tag; a periodic prune keeps GHCR tidy.

This is the no-account, simplest-standard-tools version of incremental builds, validated end-to-end before wiring (the apt/QEMU misfires taught me to measure first).

[elronbandel]

Superseded by #241 — the git-diff affected-set is the standard approach (Nx/Turborepo's affected) and far simpler than content-hash tags. No script, no per-job skip.