Harden release package metadata updates

[eric-tramel]

What

Tighten the remaining release mechanics after the PUBLISH=1 flow landed:

• serialize package publish jobs with a workflow concurrency group;
• fetch ddp-package-assets/packages.json by exact release asset id before merging package metadata;
• delete the previous packages.json asset only when one was actually found;
• require local make release to run from the fetched origin/main tip, not just an older ancestor.

Why

The shared package-list asset is the one mutable state point in the release process. Without concurrency, two releases published close together could both read the same old packages.json, merge their own package files, and let the later upload drop the earlier package row. Fetching the asset by id also avoids treating any gh release download failure as "no package list exists."

The local release guard closes the other easy footgun: tagging an old main ancestor after forgetting to update the checkout.

Usage

The release command stays the same:

make release PLUGIN=data-designer-my-plugin PUBLISH=1

It now fails early unless the worktree is clean and HEAD == origin/main after fetching origin main.

How

• Add top-level concurrency to .github/workflows/publish.yml with cancel-in-progress: false.
• Replace the broad gh release download ... || empty file fallback with an exact GitHub API asset lookup/download.
• Keep the publish workflow's package-list merge behavior unchanged after the metadata file is loaded.
• Update release docs and agent guidance for the stricter local release guard.

Validation

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/publish.yml"); YAML.load_file(".github/workflows/docs.yml"); puts "workflow yaml parsed"'
• make -n release PLUGIN=data-designer-template
• make -n release PLUGIN=data-designer-template PUBLISH=1
• gh api package asset lookup smoke test for missing and existing assets
• git diff --check
• make check
• make docs
• make lint
• make test-devtools