ci: docker publish workflow for indexer-api + indexer-worker

[satyakwok]

Summary

Adds a GH Action that builds + pushes both indexer images to Docker Hub on every git tag of the form `v*`. Operators that want to self-host the Sentrix indexer get a clean path:

```
docker pull sentriscloud/indexer-api:0.4.0
docker pull sentriscloud/indexer-worker:0.4.0
```

vs the current path of cloning the repo + `pnpm install` + `docker compose build`. `:latest` tag tracks the highest non-prerelease semver (no `-` suffix in the version).

Matrix

Builds `indexer-api` (`apps/api/Dockerfile`) and `indexer-worker` (`apps/indexer/Dockerfile`) in parallel using docker buildx with GHA cache scoped per-image (api builds don't invalidate worker cache).

linux/amd64 only for now — arm64 emulation runs ~5x slower on x86 runners. Opt-in via follow-up workflow when there's actual demand.

Manual rebuild

`workflow_dispatch` path with a `tag` input for ad-hoc rebuilds (eg base-image security bump that doesn't ship a code change).

Operator setup before first tag

1. Create Docker Hub org `sentriscloud` (free) — likely already exists.
2. Create access token with read+write+delete repo perms at hub.docker.com → Account Settings → Security → New Access Token.
3. Add repo secrets `DOCKERHUB_USERNAME` + `DOCKERHUB_TOKEN` at github.com/Sentriscloud/indexer/settings/secrets/actions.
4. Tag a release: `git tag v0.4.0 && git push origin v0.4.0` — workflow fires + pushes images.

OCI labels

Each image carries the standard OCI labels (source / revision / version / license) so registries that index them (Docker Hub UI, GHCR, Artifact Hub) display correct metadata.

Out of scope (follow-up)

• Multi-arch (linux/arm64) — needs separate runner or buildx emulation tradeoff
• SBOM (cyclonedx / syft) — supply-chain hygiene; add when there's a 3rd-party consumer asking
• Image signing (cosign) — when supply-chain attestation matters