fix: include branch filter in CEL expression for release trigger

The on-cel-expression annotation takes precedence over on-event and
on-target-branch annotations. The previous CEL expression only checked
body.created == true, which matched ANY newly created branch push
(e.g. fix/CVE-* branches), not just release-v* branches.

Add the branch filter directly in the CEL expression to ensure the
release pipeline only triggers for release-v* branch creation.

Author: vdemeester

.tekton/release.yaml

@@ -28,9 +28,12 @@ metadata:
     # Trigger on push events to release branches, but ONLY when the branch
     # is first created (body.created == true). This means it fires exactly
     # once per release branch, not on every commit pushed to it.
+    # NOTE: on-cel-expression takes precedence over on-event/on-target-branch,
+    # so the branch filter MUST be included in the CEL expression.
     pipelinesascode.tekton.dev/on-event: "[push]"
     pipelinesascode.tekton.dev/on-target-branch: "[refs/heads/release-v*]"
-    pipelinesascode.tekton.dev/on-cel-expression: "body.created == true"
+    pipelinesascode.tekton.dev/on-cel-expression: >
+      body.created == true && pac.target_branch.startsWith("refs/heads/release-v")
     pipelinesascode.tekton.dev/pipeline: "tekton/operator-release-pipeline.yaml"
     pipelinesascode.tekton.dev/max-keep-runs: "5"
 spec: