chore: remove trivy action

[robert-bell]

What this PR does / why we need it:

Removing trivy as per upstream kubeflow#3389.

The action was already disabled and not running.

Which issue(s) this PR fixes (optional, in Fixes #<issue number>, #<issue number>, ... format, will close the issue(s) when PR gets merged):
Fixes #

Checklist:

• Docs included if any changes are user facing

Summary by CodeRabbit

• Chores
  • Removed automated security vulnerability scanning workflow from the CI/CD pipeline.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bfe4451c-a0f1-47a8-8e74-1bb11c32c1e7

📥 Commits

Reviewing files that changed from the base of the PR and between 8fb40b1 and 462f95a.

📒 Files selected for processing (1)

• .github/workflows/trivy-scan.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/trivy-scan.yaml

---

📝 Walkthrough

Walkthrough

This pull request removes .github/workflows/trivy-scan.yaml, a GitHub Actions workflow that performed automated filesystem vulnerability scanning using Trivy on push to master and all pull requests. The workflow generated SARIF reports filtered to CRITICAL and HIGH severity findings and uploaded them to GitHub's Security tab.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Security Findings

Removal of vulnerability scanning infrastructure — This deletion eliminates automated detection of filesystem-level vulnerabilities (CWE-693: Protection Mechanism Failure). There is no evidence in this diff that:

1. Trivy scanning is being migrated to an alternative mechanism (e.g., different workflow, different tool)
2. Compensating controls exist elsewhere to detect CRITICAL/HIGH severity vulnerabilities in dependencies or system packages
3. A documented decision rationale exists for removing this security control

Actionable issue: Confirm whether vulnerability scanning continues via an alternative mechanism. If not, this represents a gap in security controls that should be explicitly documented and approved.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: remove trivy action' accurately and clearly describes the primary change—removal of the Trivy GitHub Actions workflow.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}