feat: add VM tools image build GHA workflow

[celanthe]

What:

Adds .github/workflows/update-vm-tools.yml: a workflow_dispatch workflow that updates all 6 base images (tahoe, sequoia, sonoma, monterey --latest and 200-gb variants) with the latest vm-tools, network tuning, and remote access configuration.

Why:

• Replaces the previous manual process with an automated workflow that uses
  orka-engine vm save + orka-engine image push to produce clean, distributable images.

What it configures per image:

• vm-tools — downloaded from the public S3 URL, no AWS credentials needed
• Network tuning daemon — installs setup-sys-daemon.sh from packer-plugin-macstadium-orka, which disables hardware checksum offloading and
  TSO at boot via a LaunchDaemon
• Remote login (SSH) — systemsetup -setremotelogin on + explicit launchctl
  load of ssh.plist (belt-and-suspenders since systemsetup is deprecated on
  Sonoma+)
• Screen sharing — launchctl load -w com.apple.screensharing.plist
• VNC/ARD — kickstart -activate -configure -access -on -privs -all
• Admin credentials — sets admin user password to admin via dscl

How it works:

• Runs on a self-hosted runner on arm-mini-002 (which is on @celanthe's cluster), which already has orka-engine
  installed. For each image: pulls from GHCR, boots a temporary VM, SCPs and
  installs everything, reboots, then saves with orka-engine vm save and pushes
  back to GHCR. Temp VM is deleted in an if: always() cleanup step.

Before merging:

• Register self-hosted runner on arm-mini-002 with label arm-mini-002
• Add VM_DEFAULT_PASSWORD secret to this repo's Actions secrets
• Smoke test on tahoe:latest before running the full matrix