ci: reduce permissions of fork builds & fix tag releases

[falcorocks]

Summary

1. Fix how we release tags to match CircleCI. Currently when we issue tag op-node/abc the GHA workflow builds all images with tag op-node-abc.
2. Split the docker CI workflows in 3 paths:

• tags.yaml: handles release tag pushes (push to GCP registry, attest)
• branches.yaml: distinguishes between local PRs and fork PRs
  • local -> push to GCP registry, attest
  • fork -> push to ttl.sh, no attest, minimal permissions

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.32%. Comparing base (c0d1ce8) to head (070ffef).
⚠️ Report is 11 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #18501      +/-   ##
===========================================
- Coverage    75.62%   75.32%   -0.30%     
===========================================
  Files          187      187              
  Lines        11199    11199              
===========================================
- Hits          8469     8436      -33     
- Misses        2584     2619      +35     
+ Partials       146      144       -2     

Flag	Coverage Δ
cannon-go-tests-64	66.58% <ø> (-0.82%)	⬇️
contracts-bedrock-tests	80.24% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.