ci: gate merges and releases on Integration e2e

[joshua-temple]

Problem

Integration (act + gitea) e2e is informational only; main's required checks are ["PR Gate"]. A red e2e can merge and ship (this is the gap that let a red change in). Separately, release.yaml's push: tags: ['v*'] has not been auto-firing: every release this session needed a manual gh workflow run.

Fix

• e2e.yaml: path filtering moves from the workflow on: triggers to a job-level changes detector (dorny/paths-filter). A new always-run Integration Gate job reports the required status context: it passes when E2E is correctly skipped on non-code changes and mirrors the heavy E2E result otherwise. This avoids the required-but-skipped deadlock so the context can be made a required check.
• orchestrate.yaml: the release-candidate tag is created with the trigger-capable token (CASCADE_STATE_TOKEN) instead of GITHUB_TOKEN. Tags created via the API with GITHUB_TOKEN do not emit a push event (GitHub's recursion guard), which is why release.yaml never auto-fired. The PAT-created tag fires Release, which chains to Fleet for rc tags.
• release.yaml: documents that a tag cut from main is implicitly Integration-validated because Integration now gates merge, so there is no need to double the ~27min e2e cost on the release path.

Verification

• actionlint clean on all three changed files (the two SC2129 style warnings in orchestrate.yaml pre-exist and are untouched by this change).
• The Integration Gate context will be added to branch protection after this PR merges, so this workflow-only PR is not blocked by a gate that does not yet exist on its base.