ci: route PR docker builds to tmp registry

[falcorocks]

Summary

Route pull-request docker builds to a new ephemeral tmp Artifact Registry instead of the production images registry. Push-to-develop and scheduled builds still target images; tag/release builds (in tags.yaml) are unchanged.

Test plan

• Open this PR; confirm the build job pushes to us-docker.pkg.dev/oplabs-tools-artifacts/tmp/<image>:<sha>
• Pull one of the built images and run --version
• After merge, confirm a develop push still targets us-docker.pkg.dev/oplabs-tools-artifacts/images

Closes #20137

[raffaele-oplabs]

Security review: approved.

This is the direct follow-up to ethereum-optimism/k8s#10613 (tmp registry creation) and #10614 (WIF write binding for this monorepo) — completing the PR-build isolation chain.

Verified:

• Diff is a surgical three-line ternary on github.event_name: pull_request pushes to the new tmp registry, everything else (push to develop, scheduled, workflow_dispatch) keeps pushing to images. tags.yaml untouched — tag/release builds remain on images.
• The IMAGE: env ternary in the downstream run-image jobs preserves the existing fork split (build-fork.result == 'success' → ttl.sh for fork PRs) and only rewires the non-fork PR branch from images to tmp. Fork PRs never gain GCP auth via this change.
• github.event_name is a trusted context value set by GitHub Actions — not user-influenceable. The image name (matrix.image_name) still comes from the detect-changes action driven by repo-local docker-bake.hcl, so no injection surface.
• CI already ran this config on this PR: the attest build provenance and build (…) jobs pushed to us-docker.pkg.dev/oplabs-tools-artifacts/tmp/<image>:<sha> and succeeded. Confirms the WIF binding from k8s#10614 works end-to-end.
• Net effect: narrowing blast radius — untrusted-ish PR-branch builds no longer land in the production images registry. 30-day cleanup on tmp caps persistence.

No new attack surface, no removed checks, no widened permissions.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.2%. Comparing base (47b3f23) to head (1199351).

Additional details and impacted files

@@            Coverage Diff             @@
##           develop   #20138     +/-   ##
==========================================
- Coverage     76.4%    76.2%   -0.3%     
==========================================
  Files          187      187             
  Lines        10703    10703             
==========================================
- Hits          8185     8159     -26     
- Misses        2374     2400     +26     
  Partials       144      144             

Flag	Coverage Δ
cannon-go-tests-64	66.3% <ø> (ø)
contracts-bedrock-tests	82.2% <ø> (-0.4%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.