fix(ci): clean docker boot sync after cancellation (#5296)
Closes #5295 ## Summary - Disable Docker compose restart policies for boot-sync CI jobs while preserving the local default. - Move Docker boot-sync bind mounts out of the repository checkout and into a job-scoped `$RUNNER_TEMP` directory. - Clean compose projects with `down --remove-orphans` on script exit and an `if: always()` workflow step. - Add a static CI guard for the boot-sync cleanup contract. ## Verification - `scripts/ci/check-docker-boot-sync-cleanup.sh` - `bash -n run/common/docker/run.sh scripts/ci/check-docker-boot-sync-cleanup.sh` - `git diff --check HEAD~1..HEAD` - `./scripts/shellcheck.sh`