clang image: rework workflow to dry run on PR

[mtardy]

Fixes #750 since other workflows build-image-ci.yml and build-images-releases.yml are already acting differently in the case of push on main and PRs.

• Add a path addition to allow for the workflow to be tested when we modify it in a PR.
• Add a boolean condition in quay login step and at pushing step to only push on commit on main.
• Remove the environment since the workflow can run without approval now. We will still need the credential from the environment to login to quay thought.

Warning: I need external action on the repo for this PR to work when merged:

          username: ${{ secrets.QUAY_CLANG_RELEASE_USERNAME }}
          password: ${{ secrets.QUAY_CLANG_RELEASE_PASSWORD }}

These secrets must be moved from the environment: release-clang to the global env if it makes sense.

[mtardy]

I have an issue because I cannot locally load the multi-arch build. And bom need the image to exist to generate the sbom. So I can maybe disable the whole sbom thing for dry-run?

[mtardy]

I have an issue because I cannot locally load the multi-arch build. And bom need the image to exist to generate the sbom. So I can maybe disable the whole sbom thing for dry-run?

This is basically because of this long standing issue docker/buildx#59.

[willfindlay]

We ended up deciding to keep the release-clang environment but still do a dry-run only on PRs. This has the unfortunate side effect of requiring approval on dry-runs but I think we can live with that.