fix: restrict binary signing to espressif org push events only

[peterdragun]

Description

Signing was running on all builds including PRs. Since secrets are accessible on internal PRs, unreviewed code could be signed before merge. Now signing only runs on push events in the espressif org, ensuring only merged code gets signed.

Related

Internal tracker: IDF-15184

[jakub-kocka]

Thank you, @peterdragun, for this security improvement!

[github-actions]

	Messages
📖	🎉 Good Job! All checks are passing!

👋 Hello peterdragun, we appreciate your contribution to this project!

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against 0c07c28