ci(security): add OSV and Trivy scans with fork-safe SARIF; add SBOM …

[niStee]

What does this PR do?

Supply-chain security and workflow hardening, adding scanners, SBOMs, and signed release assets.

Changes (vs main):

• Add OSV Scanner (Docker, digest pinned) with SARIF upload; fork-safe uploads; path filters; severity gating via .github/osv-scanner-config.yaml; initially non-blocking for triage
• Add Trivy FS scan (Docker, digest pinned) with SARIF upload; fork-safe uploads; path filters; initially non-blocking for triage
• Add SBOM workflow (Syft via anchore/sbom-action@v0) and upload artifact
• Harden DevSkim workflow: fork-safe SARIF upload, concurrency guard, hardened checkout
• Release workflow:
  • Generate SBOM for release assets
  • Keyless Cosign signing per asset (.sig/.crt) and a signed SHA256SUMS manifest
  • Fix duplicate SHA256SUMS/sign block and add workflow-level concurrency
• Docs: README.md adds verification instructions and badges (CI, OpenSSF Scorecard, OSV/Trivy/DevSkim/SBOM); RELEASE_PROCEDURE.md adds verification steps (checksums, Cosign, SBOM)

Notes:

• Scanners are intentionally non-blocking to establish a baseline; we can flip to hard-fail after triage
• All SARIF uploads guard against forks to avoid permission errors
• Actions pinned by version or digest where applicable; follow-ups can pin remaining actions by SHA and adjust Dependabot rules if desired

This is the updated version of PR #1309 with all conflicts resolved against the current main branch.

Standards checklist

• The PR title is descriptive and scoped
• I have read CONTRIBUTING.md
• Optional: I have tested the code myself
• If this PR introduces user-facing messages, they are translated (N/A)

For new steps

• Optional: Topgrade skips this step where needed (N/A)
• Optional: The --dry-run option works with this step (N/A)
• Optional: The --yes option works with this step (N/A)

[niStee]

This PR has been superseded by #1416, which is a cleaner implementation containing only the security scanning features without breaking changes.

The following issues with this PR have been identified and resolved in the new PR:

1. ❌ Deleted triggers job - breaks AUR/PyPI/Winget release pipeline
2. ❌ Removed shell completions - breaks Debian packages (.deb files)
3. ❌ Platform downgrades - reverts recent improvements (macos-15-intel → macos-13, ubuntu-22.04 → ubuntu-latest)
4. ❌ Included VALIDATION_SUMMARY.txt - temporary development file that shouldn't be committed

The new PR #1416 contains:

• ✅ OSV Scanner workflow (safe, non-blocking)
• ✅ Trivy FS workflow (safe, non-blocking)
• ✅ SBOM generation workflow (safe, non-blocking)
• ✅ DevSkim workflow hardening (safe, fork-protected)
• ✅ No breaking changes to existing workflows or functionality

Closing this PR in favor of the cleaner implementation.