* ci(preview): rewrite image config before registry push
Point the trusted preview deploy config at the loaded CI image before Wrangler validates the worker config for the Cloudflare registry push. This keeps the existing trusted deploy boundary intact while fixing the post-2062 image-push ordering regression.
* ci(preview): require trusted readiness diagnostics
* ci(preview): use nonce for diagnostics events
* ci(preview): retain diagnostics timing anchors
* ci(preview): split PR image builds from trusted deploys
* ci(preview): harden preview artifact handoff
Move the preview image artifact into the trusted preview workflow as a no-secret build job, gate deployment on base-trusted workflow definitions, and keep Cloudflare credentials isolated to the deploy-only job.
Also fail closed when the pushed image reference is not written into wrangler.toml and expand the preview deploy guard to enforce the same-run artifact and permission boundaries.
* ci(preview): move preview builds out of privileged trigger
* ci(preview): avoid secret-shaped wrangler env assignments
* ci(preview): keep wrangler credential env explicit
* ci(preview): isolate deployment tooling
Keep PR preview source separate from the deployment toolchain by building a temporary deploy workspace from base-revision preview metadata and PR-owned source.
Add a focused CI guard so future preview workflow edits preserve the trusted tooling split.
* ci(preview): harden workflow guard checks
Address CodeRabbit feedback by making the preview deploy guard assertions collision-proof and more resilient to equivalent GitHub Actions expression and workspace path forms.
* ci(preview): normalize workflow guard paths
* ci(preview): defer workflow guard validation
* revert(preview): restore workflow guard validation
* ci(preview): gate preview deployments
