Fix SBOM/provenance manifest list error on PR builds

Fixed error: "docker exporter does not currently support exporting manifest lists"

The issue occurred because SBOM and provenance attestations create manifest
lists, which cannot be loaded to the local Docker daemon (required for PRs).

Changes:
- Made sbom conditional: only enabled for push events (not PRs)
- Made provenance conditional: only enabled for push events (not PRs)
- PRs now build without attestations (faster, avoids manifest list error)
- Production pushes still get full SBOM and provenance attestations

This allows:
- PR builds to complete successfully with load=true
- Production builds to maintain supply chain security features

.github/workflows/docker-build.yml

@@ -111,5 +111,6 @@ jobs:
           cache-to: type=gha,mode=max
           # Only specify platforms for push (multi-platform), not for load (single-platform only)
           platforms: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && 'linux/amd64,linux/arm64' || '' }}
-          sbom: true
-          provenance: true
+          # SBOM and provenance create manifest lists, incompatible with load (PRs)
+          sbom: ${{ github.event_name != 'pull_request' && github.event_name != 'pull_request_target' }}
+          provenance: ${{ github.event_name != 'pull_request' && github.event_name != 'pull_request_target' }}