chore: add condition to bootstrap file publish role (#30823)

Adds a condition to restrict s3 permissions on the file publish role.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: scanlonp

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -377,6 +377,10 @@ Resources:
             Resource:
               - Fn::Sub: "${StagingBucket.Arn}"
               - Fn::Sub: "${StagingBucket.Arn}/*"
+            Condition:
+              StringEquals:
+                aws:ResourceAccount:
+                  - Fn::Sub: ${AWS::AccountId}
             Effect: Allow
           - Action:
               - kms:Decrypt
@@ -619,7 +623,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '20'
+      Value: '21'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack