feat: add org.opencontainers.image.revision OCI label to all container images

[ambient-code]

Summary

• Adds ARG GIT_COMMIT=unknown and LABEL org.opencontainers.image.revision=$GIT_COMMIT to the final stage of all 7 production Dockerfiles (backend, frontend, operator, public-api, ambient-runner, state-sync, ambient-api-server)
• Passes GIT_COMMIT=${{ github.sha }} in build-args for both push and PR build steps in components-build-deploy.yml
• Passes GIT_COMMIT=${{ github.sha }} in build-args in prod-release-deploy.yaml (alongside existing AMBIENT_VERSION which is set to the release tag, not a SHA)
• Passes --build-arg GIT_COMMIT=$(git rev-parse HEAD) in all Makefile build targets (including kind-reload-* and local-reload-api-server)

Test plan

• Verify label is present on a locally built image: podman build --build-arg GIT_COMMIT=$(git rev-parse HEAD) -t test components/backend && podman inspect test | jq '.[0].Config.Labels["org.opencontainers.image.revision"]'
• Verify CI builds pass with new build-args format
• Verify skopeo inspect docker://quay.io/ambient_code/vteam_backend:<sha> | jq '.Labels["org.opencontainers.image.revision"]' returns a valid SHA after merge

Closes #1269

🤖 Generated with Claude Code

---

🤖 Ambient Session

[github-actions]

⚠️ SDD Preflight — Managed Paths Modified

This PR modifies files in SDD-managed component(s). These components are migrating to Spec-Driven Development.

File	Component	Mode
components/runners/ambient-runner/Dockerfile	runner	warn

No action required — these components are in warn mode. Consider using the component's agent workflow for future changes.

📖 Specs: Runner Spec · Runner Constitution

[ambient-code]

This PR adds the org.opencontainers.image.revision OCI label to all 7 production Dockerfiles, wired through CI workflows and the Makefile.

Changes per acceptance criteria:

• All Dockerfiles include ARG GIT_COMMIT=unknown and LABEL org.opencontainers.image.revision=$GIT_COMMIT in the final image stage
• components-build-deploy.yml passes GIT_COMMIT=${{ github.sha }} in build-args for both push and PR build steps
• prod-release-deploy.yaml passes GIT_COMMIT=${{ github.sha }} in build-args alongside the existing AMBIENT_VERSION
• Makefile passes --build-arg GIT_COMMIT=$(git rev-parse HEAD) alongside existing AMBIENT_VERSION build args

Note on the operator Dockerfile: The existing ARG GIT_COMMIT=unknown is in the builder stage (scoped to that stage in Docker multi-stage builds). A second ARG GIT_COMMIT=unknown is needed in the final stage for the LABEL to reference it — this is required by Docker's ARG scoping rules, not a true duplication.

🤖 Session