Dockerize always fails for dependabot PRs

[jtherrmann]

The dockerize job always fails at AWS auth here for dependabot PRs with The security token included in the request is invalid. Re-running the job has the same results. The only workaround is to close and re-open the dependabot PR.

According to Copilot:

• Dependabot PRs are considered "forked" PRs and run with restricted permissions.
• Repository secrets are NOT available to workflows running on PRs from forks for security reasons.

The easiest resolution here is probably to skip the dockerize job for dependabot PRs, e.g:

jobs:
  dockerize:
    if: github.actor != 'dependabot[bot]'
    ...

Our tests and static analysis are probably sufficient to catch any bugs that would have surfaced during the Docker build.

[jtherrmann]

Actually, always skipping the job for dependabot PRs isn't ideal, because if any of the reusable action versions used in the dockerize job get bumped by dependabot, then we don't get verification that the job still works.

The other solution suggested by Copilot is to use the pull_request_target trigger, which it claims means that the workflow runs in the context of the target branch, so will have access to secrets. It warns that you shouldn't checkout untrusted code in such a workflow. But I'd want to read more about this approach before implementing it.