The release tool tags whatever HEAD points at and pushes the tag, but the
downstream "chore: bump" commit it creates afterwards is only committed
locally (gitPushTags pushes tags, never the branch). When the tool is re-run
while HEAD sits on such a local-only bump commit, the new tag lands on a
commit that is not on the remote default branch.

That is how store/v0.0.28 ended up pinned to the "chore: bump store/v0.0.27"
commit, shipping a store release that predated — and therefore did not
contain — a Linux keychain fix that had already merged via PRs.

Before creating any tag, fetch and verify HEAD equals the tip of the remote
default branch (origin/HEAD, falling back to main); refuse otherwise. The
check is skipped in --dry and --skip-git modes since they create no tags.

Adds an integration test (temp repo + bare remote) covering the in-sync,
local-only-commit, and pushed cases, and documents the release workflow and
guard in docs/releasing.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

…et origin/HEAD

- Subtest 3 now creates a local-only commit and asserts failure before
  pushing, so the fail -> push -> pass recovery path is exercised even
  when the subtest runs in isolation.
- remoteDefaultBranch logs a diagnostic to stderr when origin/HEAD is
  unset, so a wrong "main" assumption is visible instead of surfacing as
  a confusing "couldn't find remote ref" fetch error.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>