chore(ci): resolve scan-vulns CI failures by updating Go, deps, and Trivy

[YitongFeng-git]

Description

The scan-vulns CI workflow is failing on all PRs due to known vulnerabilities
detected by govulncheck and outdated Trivy configuration.

This PR fixes both jobs in scan-vulns.yaml:

govulncheck:

• Update go-version from 1.22 to 1.26 (was already out of date with go.mod)
• Bump go directive in go.mod to 1.26 to fix 17 stdlib vulnerabilities
• Update vulnerable dependencies:
  • go.opentelemetry.io/otel/sdk v1.38.0 → v1.43.0 (GO-2026-4394)
  • golang.org/x/net v0.43.0 → v0.54.0 (GO-2026-4918)
  • github.com/theupdateframework/go-tuf/v2 v2.2.0 → v2.4.1
  • github.com/sigstore/rekor v1.4.2 → v1.5.0
  • github.com/sigstore/sigstore-go v1.1.3 → v1.1.4

Trivy (scan_vulnerabilities):

• Bump Trivy from 0.58.2 to 0.70.0
• Replace deprecated --vuln-type flag with --pkg-types
• Remove --skip-db-update so Trivy can download the DB when cache is unavailable

Which issue(s) does this PR resolve?

Fixes scan-vulns CI workflow failures blocking all PRs.

Type of change

• Bug fix (non-breaking change which fixes an issue)

Testing and verification

• govulncheck ./... reports 0 called vulnerabilities locally
• go build ./... passes
• go test ./... passes (except pre-existing internal/controller which requires kubebuilder binaries)

Checklist

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post merge requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[Copilot]

Pull request overview

This PR aims to unblock the failing scan-vulns GitHub Actions workflow by upgrading the Go toolchain/dependencies to address govulncheck findings, and by updating Trivy plus its CLI flags/config.

Changes:

• Bump the module’s go directive and upgrade a large set of dependencies in go.mod to remediate reported vulnerabilities.
• Update scan-vulns.yaml to use a newer Go version for govulncheck.
• Update Trivy to 0.70.0 and modernize Trivy CLI flags used in repository/image scans.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
go.mod	Raises the minimum Go version and updates dependencies to address govulncheck findings.
.github/workflows/scan-vulns.yaml	Updates Go/Trivy versions and Trivy invocation flags to fix scan-vulns CI failures.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[fseldow]

not ratify code change, ci related should start with chore instead of fix

[fseldow]

need approval from maintainer to trigger the ci test

[codecov]

Codecov Report

❌ Patch coverage is 95.45455% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 77.10%. Comparing base (44421ae) to head (03d1085).

Files with missing lines	Patch %	Lines
pkg/policyprovider/mocks/types.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2522   +/-   ##
=======================================
  Coverage   77.10%   77.10%           
=======================================
  Files         105      105           
  Lines        4657     4657           
=======================================
  Hits         3591     3591           
  Misses        917      917           
  Partials      149      149           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.