fix: add pull:true to docker-publish for fresh base images

The docker-publish.yml workflow was missing pull:true, causing it
to use cached Alpine images with vulnerable c-ares 1.34.5-r0.

This completes the fix across all three Docker workflows:
- docker-build.yml ✓
- docker-publish.yml ✓ (this commit)
- security-weekly-rebuild.yml ✓

Resolves CVE-2025-62408 (c-ares)

.github/workflows/docker-publish.yml

@@ -114,6 +114,8 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          # Always pull fresh base images to get latest security patches
+          pull: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |