fix(registry): verify publish tags with docker auth

[JSONbored]

Summary

• Keep post-publish registry verification inside the authenticated Docker config used for publishing.
• Pass the publish Docker environment through GHCR docker buildx imagetools inspect verification.
• Fix an existing closure lint issue surfaced by the current Trunk gate.

Why

Template publishing pushed to a private GHCR package, then verification ran after the temporary Docker auth context was removed. GHCR verification fell back to anonymous access and failed with 401 despite the build path succeeding.

Validation

• uv run --with pytest pytest tests/test_cli.py::test_registry_publish_verifies_with_repo_path tests/test_cli.py::test_registry_publish_rebuilds_when_tags_are_current tests/test_cli.py::test_registry_publish_logs_in_with_temporary_scrubbed_docker_config tests/test_registry.py::test_ghcr_verification_uses_docker_imagetools tests/test_poll.py::test_publish_required_accepts_runtime_and_release_commits
• uv run --with pytest pytest
• trunk check --show-existing --all --no-progress --color=false
• git diff --check

Notes

• This is required before retrying the unraid-aio-template release publish run.