https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run

The push job in build.yml could use the workflow_run functionality instead, so that builds from unprivileged users can be pushed to the registry too.