Improve release scripts and make workflows manual

Redirect script informational/warning output to stderr and improve robustness of release tooling. Changes include:

- Redirect many echo messages to stderr so scripts can emit machine-readable output on stdout.
- Extract-release-notes: better parsing of CHANGELOG entries (tries v-prefixed and non-prefixed headings, cleaner note formatting) and improved fallbacks when changelog is missing.
- Extract-version: accept versions with +build or -suffix, add diagnostic output when pubspec is missing, and tighten validation.
- Setup/verify APK signing: more consistent stderr logging and clearer warnings; ensure keystore decoding/logging is visible.
- Minor script usage message fixes (generate-tag-name, attach-apk-to-release).
- CI/workflows: change backend-foundation, mobile-ci, and web-quality triggers to workflow_dispatch (manual runs); update product-release (make scripts step label emoji, remove node cache lines, bump Flutter to 3.38.x).

These changes improve CI reliability, make scripts friendlier for automated consumers, and fix release note/version parsing edge cases.

.github/scripts/verify-apk-signature.sh

@@ -18,41 +18,41 @@ set -e
 APK_PATH="$1"
 
 if [ -z "$APK_PATH" ]; then
-    echo "❌ Error: Missing APK path"
-    echo "Usage: $0 <apk_path>"
+    echo "❌ Error: Missing APK path" >&2
+    echo "Usage: $0 <apk_path>" >&2
     exit 1
 fi
 
 if [ ! -f "$APK_PATH" ]; then
-    echo "❌ APK not found at: $APK_PATH"
+    echo "❌ APK not found at: $APK_PATH" >&2
     exit 1
 fi
 
-echo "🔍 Verifying APK signature..."
+echo "🔍 Verifying APK signature..." >&2
 
 # Check if APK is signed
 if jarsigner -verify -verbose "$APK_PATH" 2>&1 | grep -q "jar verified"; then
-    echo "✅ APK is properly signed!"
+    echo "✅ APK is properly signed!" >&2
     
     # Extract certificate details
-    echo ""
-    echo "📜 Certificate Details:"
+    echo "" >&2
+    echo "📜 Certificate Details:" >&2
     jarsigner -verify -verbose -certs "$APK_PATH" 2>&1 | grep -A 3 "X.509" || true
     
     # Get signer info
-    echo ""
-    echo "🔑 Signer Information:"
+    echo "" >&2
+    echo "🔑 Signer Information:" >&2
     keytool -printcert -jarfile "$APK_PATH" | head -n 15
     
 else
-    echo "⚠️  WARNING: APK signature verification failed or APK is unsigned!"
-    echo ""
-    echo "This may happen if:"
-    echo "  1. GitHub Secrets are not configured for this environment"
-    echo "  2. Keystore credentials are incorrect"
-    echo "  3. Build configuration didn't apply signing"
-    echo ""
-    echo "See: docs/RELEASE/APK_SIGNING_SETUP.md for setup instructions"
+    echo "⚠️  WARNING: APK signature verification failed or APK is unsigned!" >&2
+    echo "" >&2
+    echo "This may happen if:" >&2
+    echo "  1. GitHub Secrets are not configured for this environment" >&2
+    echo "  2. Keystore credentials are incorrect" >&2
+    echo "  3. Build configuration didn't apply signing" >&2
+    echo "" >&2
+    echo "See: docs/RELEASE/APK_SIGNING_SETUP.md for setup instructions" >&2
     
     # Don't fail the build, just warn
     # exit 1