Restrict Docker image pushes to branches from upstream repo

Should avoid the permission denied errors for PRs originating in other
repos.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: zeha

.github/workflows/docker.yml

@@ -97,7 +97,7 @@ jobs:
       with:
         context: .
         file: ./Dockerfile
-        push: true
+        push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: |
           ${{ steps.meta.outputs.labels }}
@@ -115,6 +115,7 @@ jobs:
   create-manifest:
     runs-on: ubuntu-latest
     needs: build-and-push
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     permissions:
       contents: read
       packages: write
@@ -161,7 +162,7 @@ jobs:
 
   comment-pr:
     runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
     needs: create-manifest
     permissions:
       contents: read