Fix triggering rules for the "publish-cleanup" job

Fix triggering rules for the "publish-cleanup" job

The "publish-cleanup" tag pipeline job is currently created for all
security releases, including BIND -S releases, but it depends on the
"publish" job, which is only created for open source releases.  This
breaks CI configuration for BIND -S tags, preventing pipelines from
getting created for such tags altogether.  Fix by only creating the
"publish-cleanup" job in tag pipelines for open source security
releases.

(cherry picked from commit bb40c3463831d5520faf3b9bec1703df2e836684)