.github: run cvewatch after build

This way cvewatch does not have to build all pkgs in
parallel to the actual build process and does not
need to download all the sources, too.

Hopefully this helps to fix the http teapot status issues like:
```
Error: error building "lfedge/eve-cross-compilers:b3d1dc377b3f1161eec194219c34fb1a167d28e9": error building for arch amd64: failed to solve: failed to load cache key: invalid response status 418
2026/03/24 02:17:07 error during command execution: error building "lfedge/eve-cross-compilers:b3d1dc377b3f1161eec194219c34fb1a167d28e9": error building for arch amd64: failed to solve: failed to load cache key: invalid response status 418
```

Signed-off-by: Christoph Ostarek <christoph@zededa.com>

Author: christoph-zededa

.github/workflows/cve-scan.yml

@@ -3,9 +3,13 @@
 ---
 name: CVE PR Gate
 
-"on":
-  pull_request:
-    branches: ["master"]
+on:  # yamllint disable-line rule:truthy
+  workflow_run:
+    workflows: ["PR build"]
+    types: [completed]
+
+  pull_request_review:
+    types: [submitted]
 
 jobs:
   cve-scan: