ci: clean up GitHub Actions workflows

[CaseyLabs]

Summary

• split CI gating so master pushes avoid duplicating prerelease race tests
• add gated GitHub automation lint and Lua lint jobs
• include embedded module assets in the Go test gate so go:embed content changes still compile/test
• harden Discord notification and Docker release credentials/provenance
• matrix release binary builds while preserving existing asset names, and avoid repeated generation in release matrix jobs
• add guarded cleanup for failed stable-release draft/tag artifacts so retries are not blocked by drafts created by this workflow run
• pin local CI tooling, make Lua lint self-contained in the local CI image, and clean shell-script lint issues
• reduce change-detection checkout depth with fallback fetches for larger ranges

Validation

• actionlint .github/workflows/*.yml
• yamllint .github
• shellcheck .github/scripts/*.sh
• make validate
• make js-lint
• make lua-lint
• make ci-local
• git diff --check

[CaseyLabs]

Security/latest-actions follow-up for head 62355906:

• No workflow uses dynamic action refs such as @latest, @main, or @master.
• No secrets: inherit usage remains in these workflows.
• Discord webhook payloads are JSON-encoded from environment values, with allowed_mentions disabled.
• Local CI installs act v0.2.89 over HTTPS and verifies the Linux amd64/arm64 tarball SHA256 before extraction.
• Existing action SHA pins were checked against current upstream tags, including actions/checkout v6.0.3, Docker action updates, and github/codeql-action v4.36.2.

Validation rerun after this pass:

• actionlint .github/workflows/*.yml
• yamllint .github
• shellcheck .github/scripts/*.sh
• make ci-local
• git diff --check