[CHA-0] Fix fork publishing: crds-less chart + tools image + CRD release bundle

[mogita]

Summary

Fixes the fork publishing path. The 1.0.2-getstream.1 build was broken in two ways the us-east5 dogfood surfaced (operator helm upgrade failed; no production cluster was affected). Both are corrected here; cut a fresh 1.0.2-getstream.2 from this.

Bug 1: chart can't ship CRDs (Helm 1MB release-Secret limit)

Bundling the 29 KubeBlocks CRDs put the chart's helm release Secret over Kubernetes' 1 MB cap, so helm upgrade failed with Secret ... Too long. This is why upstream .helmignores crds/.

• Re-exclude crds/ from the chart (.helmignore) → chart is helm-installable again.
• Ship the CRDs as a kubeblocks-crds.yaml GitHub release asset instead; chat's rocky installer kubectl applys it (same pattern cert-manager/tidb-operator use). The bundle is the 28 *.kubeblocks.io CRDs only, crds/snapshot/ (external snapshot.storage.k8s.io VolumeSnapshot CRDs) is deliberately excluded so we don't clobber the ones GKE owns.

Bug 2: shared image.registry/image.tag also drive the (unforked) tools image

The chart renders the tools image as {{ image.registry }}/{{ image.tools.repository }}:{{ image.tag }} in the manager init-container, dataprotection init, conversion hook, pre-delete-addon, and the upgrade hook. Overriding image.* to the fork made all of them pull ghcr.io/apecloud/kubeblocks-tools:<fork-tag> → 404 → ImagePullBackOff. tools has no per-image registry/tag override (only .repository).

• Publish the tools image under ghcr.io/getstream/kubeblocks-tools:<version> (rebuilt, not forked) so the shared override resolves. chat sets image.tools.repository=getstream/kubeblocks-tools.

Workflow now publishes (one version, lockstep)

validate → (image, tools, crds) → chart:

• operator image ghcr.io/getstream/kubeblocks:<v>
• tools image ghcr.io/getstream/kubeblocks-tools:<v>
• CRD bundle: GitHub release <v>, asset kubeblocks-crds.yaml
• crds-less operator chart oci://ghcr.io/getstream/charts/kubeblocks:<v>

Default version bumped to 1.0.2-getstream.2. contents: write added for the release.

Notes for review

• Chose to publish a tools image rather than patch the chart's tools templates, keeps deploy/helm identical to upstream for clean rebases; only the manager binary is genuinely forked.
• tools job uses make push-tools-image (deps include test-go-generate); first run may need a tweak, mirrors the working image job otherwise.
• Pairs with the chat PR that switches installKubeBlocks to apply CRDs from the release asset, set image.tools.repository, and bump to 1.0.2-getstream.2.