feat(cicd): enable S3-triggered CodePipeline and align IAM/ECR integration

- enable EventBridge notifications on source S3 bucket
- trigger CodePipeline execution on source.zip updates
- fix artifact bucket ARN substitutions
- extend CodePipeline role permissions for S3, CodeBuild, and approvals
- allow Lambda to pull images from ECR via repository policy
- export ECR repository URI and reference it from Lambda

infra/cfn/template-container-repository.yaml

@@ -14,8 +14,21 @@ Resources:
       RepositoryName: !Ref RepositoryName
       ImageScanningConfiguration:
         ScanOnPush: true
+      RepositoryPolicyText:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowLambdaPullImage
+            Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action:
+              - ecr:BatchGetImage
+              - ecr:BatchCheckLayerAvailability
+              - ecr:GetDownloadUrlForLayer
 
 Outputs:
   RepositoryUri:
     Description: URI of the ECR repository
     Value: !GetAtt Repository.RepositoryUri
+    Export:
+      Name: BlogDeployment-RepositoryUri