[User Story] Update CI/CD to determine environment from target branch

[noahwhite]

Story Summary

As a platform maintainer, I want the CI/CD pipeline to automatically select the correct R2 bucket based on the target branch, so that artifacts are published to the appropriate environment without manual intervention.

---

✅ Acceptance Criteria

• Workflow detects target branch and maps to environment:
  • develop branch → dev bucket (ghost-dev-sysext-images)
  • staging branch → staging bucket (ghost-staging-sysext-images)
  • main branch → prod bucket (ghost-prod-sysext-images)
• Add --env parameter back to fetch-secrets.sh
• Script constructs bucket name dynamically: ghost-${ENV}-sysext-images
• Use environment-specific Bitwarden secret IDs for R2 credentials
• Workflow uses correct BWS_ACCESS_TOKEN_${ENV} secret for each environment

---

📝 Additional Context

• Depends on GHO-39 (R2 buckets must exist first)
• Depends on GHO-40 (Bitwarden machine accounts must be configured)
• Current implementation hardcodes ghost-dev-sysext-images
• Branch detection should work for both push events and workflow_dispatch

---

📦 Definition of Ready

• Acceptance criteria defined
• No unresolved external dependencies (blocked by GHO-39, GHO-40)
• Story is estimated
• Team has necessary skills and access
• Priority is clear
• Business value understood

---

✅ Definition of Done

• All acceptance criteria met
• Unit/integration tests written & passing
• Peer-reviewed (PR approved)
• Docs updated (if applicable)
• Verified in staging (if needed)
• No critical bugs/regressions

[linear]

GHO-40