Fix security-scan workflow: update CodeQL Action to v4, guard SARIF upload

[Copilot]

The security-scan/security job fails when Trivy doesn't produce a SARIF file (e.g., on scan failure) because the upload step runs unconditionally via always(). Additionally, CodeQL Action v3 is deprecated.

• Update github/codeql-action/upload-sarif from @v3 → @v4
• Add id: trivy to the Trivy step and gate the upload on steps.trivy.outcome == 'success' (outcome reflects the real result before continue-on-error is applied, unlike conclusion)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

This PR fixes the security-scan/security GitHub Actions workflow so it doesn’t fail when Trivy doesn’t generate a SARIF file, and it updates the deprecated CodeQL SARIF upload action to the current major version.

Changes:

• Add an id to the Trivy step so later steps can reliably reference its result.
• Gate SARIF upload on the Trivy step’s outcome to avoid attempting uploads when Trivy failed to produce output.
• Update github/codeql-action/upload-sarif from @v3 to @v4.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.