fix(ci): enable workflow_run triggers for all push branches

Update branch triggers and downstream workflow logic to support all
branches defined in docker-build.yml (main, development, feature/**).

Changes:

docker-build.yml: Expand branch glob to feature/**, use branch-based tags
playwright.yml: Replace is_beta_push with generic is_push detection
security-pr.yml: Same branch-agnostic pattern
supply-chain-pr.yml: Same pattern, skip PR comments for push events
The workflows now support any push that triggers docker-build:

main branch → tag: latest
development branch → tag: dev
feature/* branches → tag: {branch-name}
Pull requests → tag: pr-{number}
Dynamic artifact naming:

Push events: push-image (shared across all branches)
Pull requests: pr-image-{number}
This ensures CI/CD pipelines work for stable releases, bug fixes,
and new feature development without hardcoded branch names.

.github/workflows/playwright.yml

@@ -24,10 +24,11 @@ jobs:
     name: E2E Tests
     runs-on: ubuntu-latest
     timeout-minutes: 20
-    # Only run for PRs or manual dispatch
+    # Run for: manual dispatch, PR builds, or any push builds from docker-build
     if: >-
       github.event_name == 'workflow_dispatch' ||
-      (github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success')
+      ((github.event.workflow_run.event == 'pull_request' || github.event.workflow_run.event == 'push') &&
+       github.event.workflow_run.conclusion == 'success')
 
     env:
       CHARON_ENV: development
@@ -75,14 +76,27 @@ jobs:
             echo "pr_number=" >> "$GITHUB_OUTPUT"
           fi
 
+          # Check if this is a push event (not a PR)
+          if [[ "${{ github.event.workflow_run.event }}" == "push" ]]; then
+            echo "is_push=true" >> "$GITHUB_OUTPUT"
+            echo "✅ Detected push build from branch: ${{ github.event.workflow_run.head_branch }}"
+          else
+            echo "is_push=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Check for PR image artifact
         id: check-artifact
-        if: steps.pr-info.outputs.pr_number != ''
+        if: steps.pr-info.outputs.pr_number != '' || steps.pr-info.outputs.is_push == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PR_NUMBER="${{ steps.pr-info.outputs.pr_number }}"
-          ARTIFACT_NAME="pr-image-${PR_NUMBER}"
+          # Determine artifact name based on event type
+          if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
+            ARTIFACT_NAME="push-image"
+          else
+            PR_NUMBER="${{ steps.pr-info.outputs.pr_number }}"
+            ARTIFACT_NAME="pr-image-${PR_NUMBER}"
+          fi
           RUN_ID="${{ github.event.workflow_run.id }}"
 
           echo "🔍 Checking for artifact: ${ARTIFACT_NAME}"
@@ -122,7 +136,7 @@ jobs:
           fi
 
       - name: Skip if no artifact
-        if: steps.pr-info.outputs.pr_number == '' || steps.check-artifact.outputs.artifact_exists != 'true'
+        if: (steps.pr-info.outputs.pr_number == '' && steps.pr-info.outputs.is_push != 'true') || steps.check-artifact.outputs.artifact_exists != 'true'
         run: |
           echo "ℹ️ Skipping Playwright tests - no PR image artifact available"
           echo "This is expected for:"
@@ -136,7 +150,7 @@ jobs:
         # actions/download-artifact v4.1.8
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
         with:
-          name: pr-image-${{ steps.pr-info.outputs.pr_number }}
+          name: ${{ steps.pr-info.outputs.is_push == 'true' && 'push-image' || format('pr-image-{0}', steps.pr-info.outputs.pr_number) }}
           run-id: ${{ steps.check-artifact.outputs.run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -152,13 +166,23 @@ jobs:
         if: steps.check-artifact.outputs.artifact_exists == 'true'
         run: |
           echo "🚀 Starting Charon container..."
+
+          # Normalize image name (GitHub lowercases repository owner names in GHCR)
+          IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
+          if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
+            IMAGE_REF="ghcr.io/${IMAGE_NAME}:${{ github.event.workflow_run.head_branch }}"
+          else
+            IMAGE_REF="ghcr.io/${IMAGE_NAME}:pr-${{ steps.pr-info.outputs.pr_number }}"
+          fi
+
+          echo "📦 Starting container with image: ${IMAGE_REF}"
           docker run -d \
             --name charon-test \
             -p 8080:8080 \
             -e CHARON_ENV="${CHARON_ENV}" \
             -e CHARON_DEBUG="${CHARON_DEBUG}" \
             -e CHARON_ENCRYPTION_KEY="${CHARON_ENCRYPTION_KEY}" \
-            charon:pr-${{ steps.pr-info.outputs.pr_number }}
+            "${IMAGE_REF}"
 
           echo "✅ Container started"
 
@@ -213,7 +237,7 @@ jobs:
         # actions/upload-artifact v4.4.3
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
         with:
-          name: playwright-report-pr-${{ steps.pr-info.outputs.pr_number }}
+          name: ${{ steps.pr-info.outputs.is_push == 'true' && format('playwright-report-{0}', github.event.workflow_run.head_branch) || format('playwright-report-pr-{0}', steps.pr-info.outputs.pr_number) }}
           path: playwright-report/
           retention-days: 14