* ci: add Trivy CVE scan to container release workflow
* ci: pin trivy-action version and fail on HIGH/CRITICAL CVEs
Address review feedback:
- Pin aquasecurity/trivy-action to v0.28.0 instead of @master
- Add exit-code: '1' so the scan fails the job on findings
- Add comment explaining why only amd64 is scanned
* ci: pin trivy-action to SHA for v0.35.0
Tags ≤0.34.2 were compromised (GHSA-69fq-xp46-6x23). Pin to the full
commit SHA of v0.35.0 to avoid mutable tag risks.
43f5916a1d