ci: scan the kargo image for CVEs with Grype at build and release time

[EronWright]

Adds hack/cve-scan.sh — the CVE scan recipe used across Akuity image pipelines — and wires it into the two places the kargo image is built:

Workflow / job	Scan source
ci.yaml / build-image	job-local registry service (the multi-platform build previously stayed only in buildx cache with push: false; it now also pushes to the job's registry:3.0.0 service — nothing leaves the runner)
release.yaml / publish-image	the just-pushed digest, right after signing

Behavior:

• Report-only: findings table in the job step summary + a ::warning:: annotation with Critical/High counts. FAIL_ON: "" at each call site; setting it to high later turns the scan into a hard gate (one-line diff).
• Fetches and applies Akuity's published VEX statements (OpenVEX) from https://vex.akuity.io/pkg/oci/ghcr.io/akuity/kargo/vex.json via grype --vex, so findings assessed as not-affected are suppressed. A 404 is tolerated until VEX publishing goes live — scans tighten automatically once it does.
• -unstable builds use the canonical ghcr.io/akuity/kargo path for VEX lookups, sharing the release dispositions.
• download-grype is pinned to a full commit SHA (v7.4.0) with DB caching.

The same recipe is live in Akuity's other image repos; this PR's own build-image job exercises the CI scan path end-to-end.

[netlify]

✅ Deploy Preview for docs-kargo-io ready!

Name	Link
🔨 Latest commit	4410e7a
🔍 Latest deploy log	https://app.netlify.com/projects/docs-kargo-io/deploys/6a283ed9c60c290008d9e734
😎 Deploy Preview	https://deploy-preview-6410.docs.kargo.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.34%. Comparing base (0b8f145) to head (4410e7a).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6410      +/-   ##
==========================================
+ Coverage   58.32%   58.34%   +0.02%     
==========================================
  Files         500      500              
  Lines       41939    42015      +76     
==========================================
+ Hits        24462    24515      +53     
- Misses      16010    16029      +19     
- Partials     1467     1471       +4     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[EronWright]

CI verification

The build-image job on this PR ran the scan end-to-end via the job-local registry (job green, report-only):

⚠️ CVE scan of registry:localhost:5000/kargo:scan: 17 critical / 14 high (full table in the job step summary)

Context for the counts: a large batch of golang.org/x/crypto (fixed in 0.52.0), x/net (fixed in 0.55.0), and Go stdlib (fixed in 1.26.4) advisories was published on 2026-06-03→04 and accounts for much of this. The VEX 404 notice is expected until vex.akuity.io goes live — at which point dispositioned findings are suppressed automatically with no workflow change.