ci: push sha-tagged image for all same-repo runs, not just master

[Copilot]

Stage 3 (nextflow-test) was always testing the stale master image because stage 2 (build-push-container) only pushed/tagged on master pushes — all branch and PR builds produced no image in the registry, so the artifact fell back to ghcr.io/…:master.

Changes

build-push-container.yml

• Replace is_master_push gate with a can_push flag that is true for all trusted contexts: same-repo branch pushes, same-repo PRs, and workflow_dispatch. Fork PRs remain build-only (no secrets available).
• sha-<short> tag is pushed whenever can_push=true; master tag is added only on master pushes.
• Artifact always contains the exact sha-<short> ref when an image was pushed, so stage 3 tests the image just built rather than the stale master.
• IMAGE_NAME changed from ${{ github.repository }} (produces mixed-case FertigLab/CoGAPS) to the hardcoded lowercase fertiglab/cogaps, consistent with nextflow-test.yml.

# before: only master runs could push
is_master_push="false"
if push && branch == master: is_master_push="true"

# after: any trusted same-repo run can push
can_push="false"
if workflow_dispatch:              can_push="true"
if push (any branch):              can_push="true"
if pull_request && same repo:      can_push="true"
# fork PRs: can_push stays false

Fork PRs still fall back to ghcr.io/fertiglab/cogaps:master in the artifact, preserving the existing behaviour for untrusted contexts.