feat(release): version live-image, skip rebuild+redownload when unchanged

Splits the release workflow into three jobs (detect, build-live-image,
bundle) so the ~9 min mkosi build only runs when live-image/VERSION
bumps. The slim bundle (~30 MB: orchestrator + agent + deploy scripts
+ a live-image/VERSION pointer) rebuilds every push; the ~300 MB
vmlinuz+initrd.img are published separately under the immutable
live-image/<version>/ path. install.sh compares the pointer to
/var/lib/vetting/live/VERSION and fetches the files only on mismatch,
cutting repeat-install wall-clock from ~30 s + 300 MB to ~10 s + 0 MB
on the common no-live-image-change release.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

live-image/README.md

@@ -4,13 +4,24 @@ Debian-based Linux live image that PXE-booted hosts drop into. Runs the
 `vetting-agent` binary under systemd and reaches back to the orchestrator
 over HTTP+SSE.
 
-## Preferred build path: `make release`
+## Versioning
 
-Run `make release` from the repo root (Linux/WSL) — it builds the live
-image *and* bundles it with the orchestrator binary, install scripts,
-and pinned iPXE SHAs into a single `vetting-bundle-<sha>.tar.gz`. See
+The live image has its own version marker at
+[VERSION](VERSION). Bump it (`v<major>.<minor>.<patch>`) whenever
+any mkosi input changes; CI only rebuilds and republishes
+`live-image/<VERSION>/{vmlinuz,initrd.img}` on the push that touches
+that file. The slim release bundle carries only a pointer to this
+version, and `install.sh` fetches the actual files from the registry
+when the target's on-disk copy is stale. See
 [../docs/operations.md](../docs/operations.md) for the install flow.
 
+## Release bundling
+
+`make release` from the repo root produces `vetting-bundle.tar.gz` —
+orchestrator + agent + install scripts + a `live-image/VERSION`
+pointer. It does **not** embed `vmlinuz`/`initrd.img`; those come
+from the registry at install time.
+
 ## Manual build (dev loop)
 
 On Windows:

live-image/VERSION

@@ -0,0 +1 @@
+v0.1.0