ci: publish-test-deps-image.yml -- align with bootstrap PR #402

Drop the fork-allowance/ci-draft-pause-branch additions so this
file matches the version going in via PR #402. After #402 merges
to master, this PR's branch will have the identical content -- no
merge conflict, no duplicate-but-different file diff to resolve.

Reverts the temporary changes from previous commits:
  - branches: ['master','main','ci-draft-pause'] -> ['master','main']
  - aidangarske/wolfProvider repo allowance dropped
  - per-owner ghcr namespace logic dropped (canonical wolfssl/ only)
  - concurrency group simplified (no ${{ github.repository }} suffix)

If you still want fork-side iteration after #402 merges, do it on
the bootstrap branch with workflow_dispatch on the canonical repo;
the canonical publish flow is what consumers actually pull from.

Author: aidangarske

.github/workflows/publish-test-deps-image.yml

@@ -1,36 +1,23 @@
 name: Publish test-deps image
 
 # Builds docker/wolfprovider-test-deps/Dockerfile and pushes it to
-# ghcr.io/<repo-owner>/wolfprovider-test-deps:bookworm.
+# ghcr.io/wolfssl/wolfprovider-test-deps:bookworm.
 #
-# Fires on:
-#   - push to master/main on wolfSSL/wolfProvider (canonical publish)
-#   - push to any branch on aidangarske/wolfProvider (fork-side
-#     bootstrap, so PR #400 has an image to point at while iterating)
-#   - workflow_dispatch (manual fire from either repo)
-#
-# Pushes to whichever ghcr namespace the runner is in:
-#   - wolfSSL/wolfProvider  -> ghcr.io/wolfssl/wolfprovider-test-deps
-#   - aidangarske/wolfProvider -> ghcr.io/aidangarske/wolfprovider-test-deps
-#
-# The consumer workflows (bind9, curl, etc.) hardcode the canonical
-# wolfssl namespace, so the fork-side publish is purely for the fork
-# owner to validate the build/push pipeline -- not for the PR's
-# consumer workflows to use.
+# Fires when the Dockerfile (or this workflow file) changes on master.
+# The pushed package stays private -- consumer workflows running on
+# wolfSSL/wolfProvider use the canonical GITHUB_TOKEN, which has read
+# access to the org's private packages.
 
 on:
   push:
-    branches:
-      - master
-      - main
-      - 'ci-draft-pause'    # TEMPORARY: PR #400's working branch
+    branches: [ 'master', 'main' ]
     paths:
       - 'docker/wolfprovider-test-deps/**'
       - '.github/workflows/publish-test-deps-image.yml'
   workflow_dispatch: {}
 
 concurrency:
-  group: publish-test-deps-image-${{ github.repository }}-${{ github.ref }}
+  group: publish-test-deps-image
   cancel-in-progress: false
 
 permissions:
@@ -39,26 +26,16 @@ permissions:
 
 jobs:
   publish:
-    # Only allow the two known-good repos. Refuse to push from any
-    # other fork to avoid burning runner-minutes building an image
-    # that nothing will pull.
-    if: github.repository == 'wolfSSL/wolfProvider' || github.repository == 'aidangarske/wolfProvider'
+    # Only the canonical repo's runner has a token authorized to push
+    # to ghcr.io/wolfssl/*. Forks won't have that scope, so skip.
+    if: github.repository == 'wolfSSL/wolfProvider'
     runs-on: ubuntu-22.04
     timeout-minutes: 45
-    env:
-      IMAGE_OWNER: ${{ github.repository_owner }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Compute lowercase image owner
-        id: owner
-        run: |
-          # ghcr.io path components must be lowercase even though the
-          # GitHub org casing is "wolfSSL".
-          echo "lc=$(echo "${IMAGE_OWNER}" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -76,7 +53,7 @@ jobs:
           file: docker/wolfprovider-test-deps/Dockerfile
           push: true
           tags: |
-            ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm
-            ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm-${{ github.sha }}
-          cache-from: type=registry,ref=ghcr.io/${{ steps.owner.outputs.lc }}/wolfprovider-test-deps:bookworm
+            ghcr.io/wolfssl/wolfprovider-test-deps:bookworm
+            ghcr.io/wolfssl/wolfprovider-test-deps:bookworm-${{ github.sha }}
+          cache-from: type=registry,ref=ghcr.io/wolfssl/wolfprovider-test-deps:bookworm
           cache-to: type=inline