.github: clarify docker build steps

.github/workflows/docker.yml

@@ -5,6 +5,8 @@ on:
     branches: [ 'main' ]
     tags: [ 'v*' ]
   pull_request:
+    # Run the workflow on pull_request events to ensure we can still build the image.
+    # We only publish the image on push events (see if statements in steps below).
     branches: [ 'main' ]
 
 env:
@@ -27,7 +29,7 @@ jobs:
 
     - name: Log into registry ${{ env.REGISTRY }}
       uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
-      if: github.event_name != 'pull_request'
+      if: github.event_name == 'push'
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ github.actor }}
@@ -50,10 +52,10 @@ jobs:
 
     # Sign the Docker image
     - name: Install cosign
-      if: github.event_name != 'pull_request'
+      if: github.event_name == 'push'
       uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b #v2.8.1
     - name: Sign the published Docker image
-      if: github.event_name != 'pull_request'
+      if: github.event_name == 'push'
       env:
         COSIGN_EXPERIMENTAL: "true"
       run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}