Harden CI workflows and Dockerfiles

Workflows:
- ci-comprehensive-build-test.yml: remove fuzzer job, add sanitize-sed.sh
  sourcing to all bash steps, remove pull-requests: read, renumber jobs 1-7
- ci-docker-latest.yml: add shell hardening prologue, sanitize-sed.sh,
  rename image from iccdev-latest to iccdev, SBOM and attestations
- ci-docker-nixos.yml: add shell hardening prologue, sanitize-sed.sh,
  SBOM and attestations

Dockerfiles:
- Dockerfile: pin ubuntu:26.04 to sha256 digest, replace git clone with
  COPY, remove git from builder deps, add IccJpegDump to PATH
- Dockerfile.nixos: pin nixos/nix base image to version+digest, replace
  git clone with COPY, add CMAKE_BUILD_TYPE=Release, add non-root iccdev
  user, use generic library version names in welcome script

Author: xsscx