CI: tweak OCI build triggers

Building on push to any branch is wasteful and unnecessary, because most
of built images are never used. The workflow dispatch trigger covers the
use case to build an image from the latest commit in a branch.

The use case to validate/QA a PR is now covered by on pull request
trigger. This trigger has a caveat: PRs from forks won't produce a
docker image.

Why?
Because PRs from forks do not inject rabbitmq-server secrets. This is a
security mechanism from GitHub, to protect repository secrets.

With this trigger is possible to QA/validate PRs from other Core team
members. Technically, anyone with 'write' access to our repo to push
branches.

Author: Zerpet

.github/workflows/oci-make.yaml

@@ -5,7 +5,7 @@
 #
 name: OCI (make)
 on:
-  push:
+  pull_request:
     paths:
       - deps/**
       - scripts/**
@@ -27,7 +27,7 @@ on:
         default: false
 env:
   REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq
-  VERSION: 4.1.0+${{ github.sha }}
+  VERSION: 4.2.0+${{ github.sha }}
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -39,6 +39,8 @@ jobs:
         - ${{ github.event.inputs.otp_version || '27' }}
     runs-on: ubuntu-latest
     outputs:
+      # When dependabot, or a user from a fork, creates PRs, secrets are not injected, and the OCI workflow can't push the image
+      # This check acts as a gate keeper
       authorized: ${{ steps.authorized.outputs.authorized }}
     steps:
       - name: CHECK IF IMAGE WILL PUSH