Cardano Updates

Closes #5278

Closes #5278

Validate the cardano-wallet package as the next dependency-first slice.
No owned source changes were required; the patch records formatting,
linting, component builds for the library, public sublibrary, executables,
and the green wallet-key-export test result.

Validate delta-store as the next dependency-first slice. No owned source
changes were required; the patch records formatting, linting, Nix
package/check builds, and the green unit test result.

Validate cardano-wallet-network-layer as the next dependency-first
slice. No owned source changes were required; the patch records
formatting, linting, Nix package/check builds, and the green unit test
result.

Validate iohk-monitoring-extra as the next dependency-first slice. The
package declares no Cabal test-suite, so the patch records formatting,
linting, cabal formatting, and the Nix library build gate.

Validate cardano-api-extra as the next dependency-first slice. The
package declares no Cabal test-suite, so the patch records formatting,
linting, cabal formatting, and the Nix library build gate.

Validate address-derivation-discovery as the next dependency-first
slice. The package declares no Cabal test-suite, so the patch records
formatting, linting, cabal formatting, and the Nix library build gate.

Validate cardano-wallet-secrets as the next dependency-first slice.
No owned source changes were required; the patch records formatting,
linting, Nix package/check builds, and the green test-suite result.

Validate cardano-wallet-primitive as the next dependency-first slice.
No owned source changes were required; the patch records formatting,
linting, Nix package/check builds, and the green package-local test
result.

Closes #5278

Closes #5281.

Three related fixes to the release pipeline, each in its own commit.

## 1. `chore(release): trim signatures template to current maintainers`

`scripts/release/release-template.md` shipped a 6-row signature table.
The
only currently-active wallet maintainers signing releases are Paolo
Veronelli (@paolino) and Pawel Jakubas (@paweljakubas). Removed the
other
rows so the templated release body no longer needs hand-editing for the
signature section.

## 2. `ci: pin Windows runners to windows-2025-vs2026`

Windows jobs emit a deprecation notice on `windows-latest`:

```
NOTICE: windows-2025 requests are being redirected to windows-2025-vs2026 by May 12, 2026
```

Pinned the four Windows job sites to the new explicit label:
- `.github/workflows/release.yml` (release e2e-windows)
- `.github/workflows/verify-release.yml` (verify-windows)
- `.github/workflows/windows-e2e.yml` (e2e-tests)
- `.github/workflows/windows.yml` (unit-tests)

`windows-2025-vs2026` is GA on GitHub-hosted runners (per
`actions/runner-images#14016`, May 7, 2026). `actionlint` does not yet
know the label; the warning it prints is a tooling lag, not a real
problem.

## 3. `fix(release): require manual publish for real releases`

This addresses two distinct bugs that share the same root cause: the
pipeline publishes too eagerly.

### Bug A — releases auto-undrafted before notes are reviewed

The `publish-release` job called `gh release edit --draft=false`
automatically once `verify-assets` passed. That published
v2026-05-11 as a prerelease with the raw template body — Docker link
placeholder still saying `FIX THIS LINK BY INSPECTING DOCKERHUB !`,
`Fixed/Added/Changed/Removed` sections empty, defunct signers
listed. Notes had to be rewritten in place after the release was
already public.

### Bug B — `releases/latest` API followed `nightly`

```
$ gh api repos/cardano-foundation/cardano-wallet/releases/latest --jq .tag_name
nightly
```

`nightly` is published as a non-prerelease, non-draft release. With
the default `make_latest=legacy` rule, GitHub picks the most recently
published non-prerelease release as Latest — which is `nightly`
every morning, until the next real release. So the "Latest" pointer
on the repo silently followed nightly builds.

### Fixes

`release.yml`:

- `create-release`: `gh release create` now passes `--prerelease` when
`IS_RELEASE != 'true'`. Nightly/test stop overtaking semver releases as
  GitHub's "Latest".
- `publish-release`: auto-un-drafts only nightly/test. For real
  releases it logs a notice ("Edit notes and click Publish in the UI")
  and leaves the draft in place. The maintainer reviews + publishes
  manually.
- `push-docker`: skipped on the release path. Tags renamed to
  reflect it now only handles nightly/test. The `latest` tag push is
  removed (it was already conditional on `IS_RELEASE`, which is now
  always false here).
- `update-docs`: removed from `release.yml`.

New `.github/workflows/publish-release.yml`:

- Triggered on `release.published` (filter:
`!github.event.release.prerelease`).
- `push-docker`: downloads the `cardano-wallet-<tag>-docker-image.tgz`
asset from the release, pushes `cardanofoundation/cardano-wallet:<tag>`
  and `:latest`.
- `update-docs`: checks out `gh-pages`, runs
  `releases/make_redirects.sh "<tag>"`, pushes.

### Flow after this PR

- **Nightly cron**: same UX as before — workflow runs end-to-end,
  release un-drafts as a prerelease, docker `nightly` tag pushed. No
  human action needed. GitHub "Latest" pointer no longer changes.
- **Real release**: workflow builds, verifies, uploads assets to a
  draft. Stops there. Maintainer edits the release notes, then
  clicks "Publish release" in the GitHub UI. That fires
  `release.published`, which runs `publish-release.yml` to push the
  docker image (`<tag>` and `latest`) and update gh-pages redirects.

## Test plan

- [ ] Nightly cron run: release is created as draft prerelease,
un-drafted
by publish-release, `releases/latest` still points to the most recent
      semver release.
- [ ] Manual release run: draft is created, publish-release logs the
notice URL, draft stays as draft, docker is NOT pushed yet, gh-pages
      not updated.
- [ ] Click "Publish release" in the UI: `publish-release.yml` runs,
      docker `<tag>` and `:latest` pushed to Docker Hub, gh-pages
      redirects added.
- [ ] Windows jobs no longer emit the `windows-2025 -> vs2026` redirect
      notice.
- [ ] Templated release body's signature table contains only Paolo and
      Pawel.