ci: only build and push on version tags, not main branch

Changed workflow to only trigger on version tags (v*.*.*).
PRs still trigger for validation (build only, no push).

Workflow behavior:
- Push to main: No action
- Push tag v1.2.3: Build and push to DockerHub
- Open PR: Build only (validation)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: MatteoMori

.github/workflows/build-and-push.yaml

@@ -2,10 +2,8 @@ name: Build and Push Docker Image
 
 on:
   push:
-    branches:
-      - main
     tags:
-      - 'v*.*.*'  # Triggers on version tags like v1.0.0, v1.2.3, etc.
+      - 'v*.*.*'  # Only trigger on version tags like v1.0.0, v1.2.3, etc.
   pull_request:
     branches:
       - main
@@ -37,7 +35,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to DockerHub
-        if: github.event_name != 'pull_request'
+        if: startsWith(github.ref, 'refs/tags/v')
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
@@ -69,15 +67,15 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ startsWith(github.ref, 'refs/tags/v') }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64
 
       - name: Generate artifact attestation
-        if: github.event_name != 'pull_request'
+        if: startsWith(github.ref, 'refs/tags/v')
         uses: actions/attest-build-provenance@v1
         with:
           subject-name: ${{ env.DOCKER_IMAGE }}