fix(ci): fix the schema bumping path issue

[kenzoengineer]

No description provided.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1b65a7f. Configure here.}

[sentry]

Bug: Removing the if condition on the bump-sha job causes it to run on pull requests and non-main branches, incorrectly updating a downstream repository with non-production commit SHAs.
_{Severity: HIGH}

Suggested Fix

Re-introduce a condition to ensure the bump-sha job only runs on pushes to the main branch. The original condition if: github.ref == 'refs/heads/main' would work. A more explicit condition is if: github.event_name == 'push' && github.ref == 'refs/heads/main'.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/main.yml#L205-L208

Potential issue: The removal of the `if: github.ref == 'refs/heads/main'` condition on
the `bump-sha` job causes it to execute on unintended triggers. The workflow is
configured to run on `pull_request` events and pushes to branches like `test-me-*` and
`release/**`. Without the conditional, the `bump-sha` job will execute in these
scenarios, not just on pushes to `main`. This will cause the `bump_sha.py` script to be
called with a `github.sha` from a feature branch, release branch, or unmerged PR,
leading to incorrect, non-production SHAs being pushed to the `sentry-options-automator`
repository, potentially causing incorrect configurations to be deployed.

Also affects:

• .github/workflows/bump-sha.yml:24

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[kenzoengineer]

aware of this, purely for testing.