fix: KEEP-293 tolerate missing ECR credentials for Dependabot PR builds

[suisuss]

Summary

The build job in pr-checks.yml has failed on every Dependabot-authored PR since KEEP-266 + KEEP-267 landed (2026-04-17) because the job requires AWS/ECR credentials that Dependabot workflow runs cannot access.

Fix:

• .github/workflows/pr-checks.yml: skip Configure AWS credentials and Login to AWS ECR steps when github.actor == 'dependabot[bot]'. ECR_REGISTRY env var then arrives empty at the bake step.
• docker-bake.hcl: guard tags, cache-from, cache-to on the app target with ECR_REGISTRY != "". Empty registry -> no tags, no cache, pure Dockerfile validation build.

Only the app target is modified because the PR CI build job only builds the app target. Deploy/release workflows that build the other targets (migrator, workflow-runner, etc.) always have ECR credentials, so those targets are untouched.

Root cause

Before KEEP-267, PR CI ran pnpm build (no AWS needed) and Dependabot PRs worked. KEEP-267 replaced it with docker buildx bake + ECR cache, which requires secrets.TO_AWS_ACCESS_KEY_ID / TO_AWS_SECRET_ACCESS_KEY — both scoped to the staging environment. GitHub deliberately does not expose Actions secrets or environment secrets to Dependabot workflow runs, so both references resolve to empty strings, aws-actions/configure-aws-credentials@v6 exhausts its provider chain, and the job fails with Could not load credentials from any providers.

Regular (human-authored) PRs are unaffected — they have normal environment access and the build job passes (e.g., #905).

First visible failure: #889 (dompurify bump in docs-site). Ticket: KEEP-293.

Tradeoff

Dependabot validation runs without registry build cache -- full cold build, ~5-10 min. Acceptable for correctness.

Test plan

• Merge this PR to staging
• Rebase PR chore(deps): bump dompurify from 3.3.3 to 3.4.0 in /docs-site in the npm_and_yarn group across 1 directory #889 (Dependabot dompurify bump) onto updated staging
• Confirm chore(deps): bump dompurify from 3.3.3 to 3.4.0 in /docs-site in the npm_and_yarn group across 1 directory #889's build check passes without any AWS creds being granted to Dependabot
• Verify a regular (human-authored) PR still exercises the ECR cache path as before

[github-actions]

🧹 PR Environment Cleaned Up

The PR environment has been successfully deleted.

Deleted Resources:

• Namespace: pr-906
• All Helm releases (Keeperhub, Scheduler, Event services)
• PostgreSQL Database (including data)
• LocalStack, Redis
• All associated secrets and configs

All resources have been cleaned up and will no longer incur costs.

[github-actions]

ℹ️ No PR Environment to Clean Up

No PR environment was found for this PR. This is expected if:

• The PR never had the deploy-pr-environment label
• The environment was already cleaned up
• The deployment never completed successfully