* ci(preview): split PR image builds from trusted deploys
* ci(preview): harden preview artifact handoff
Move the preview image artifact into the trusted preview workflow as a no-secret build job, gate deployment on base-trusted workflow definitions, and keep Cloudflare credentials isolated to the deploy-only job.
Also fail closed when the pushed image reference is not written into wrangler.toml and expand the preview deploy guard to enforce the same-run artifact and permission boundaries.
* ci(preview): move preview builds out of privileged trigger
* ci(preview): avoid secret-shaped wrangler env assignments
* ci(preview): keep wrangler credential env explicit
