Skip Docker auth and push steps when secrets are unavailable

On fork pushes, secrets are not available but the event_name is "push"
(not "pull_request"), so the existing guards don't prevent the Google
auth step from running and failing.

Add env.SERVICE_ACCOUNT != '' checks to all secret-dependent steps
so they are skipped gracefully on forks.

Author: ericmj

.github/workflows/main.yml

@@ -52,7 +52,7 @@ jobs:
       - name: Google auth
         id: auth
         uses: 'google-github-actions/auth@v2'
-        if: ${{ github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
         with:
           token_format: 'access_token'
           project_id: ${{ env.PROJECT_ID }}
@@ -62,7 +62,7 @@ jobs:
       - name: Docker Auth
         id: docker-auth
         uses: 'docker/login-action@v3'
-        if: ${{ github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
         with:
           registry: gcr.io
           username: 'oauth2accesstoken'
@@ -73,19 +73,19 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           platforms: ${{ matrix.platform }}
-          outputs: type=image,name=gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
+          outputs: type=image,name=gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
           cache-from: type=gha,scope=${{ matrix.runner }}
           cache-to: type=gha,scope=${{ matrix.runner }},mode=max
 
       - name: Export digest
-        if: ${{ github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
         run: |
           mkdir -p /tmp/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload digest
-        if: ${{ github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }}
         uses: actions/upload-artifact@v4
         with:
           name: digests-${{ matrix.runner }}
@@ -96,7 +96,7 @@ jobs:
   docker-merge:
     name: Docker Merge
     runs-on: ubuntu-24.04
-    if: ${{ github.event_name != 'pull_request' }}
+    if: ${{ github.event_name != 'pull_request' && secrets.GCLOUD_SERVICE_ACCOUNT != '' }}
     needs: docker
     permissions:
       contents: 'read'