fix: fix gitleaks SHA and update trivy-scan to safe action version

- gitleaks-action: SHA 1f2d10fb...beba84ae does not exist (miscopied).
  Updated to v2.3.9 (ff98106e) which is the latest stable release.
- trivy-action: Updated from v0.33.1 (b6643a29, compromised range)
  to v0.35.0 (57a97c7e, post-compromise safe release). Pinned trivy
  binary to v0.65.0 to avoid SARIF generation regression in v0.69.x
  (empty artifactLocation.uri fields rejected by upload-sarif).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: samuelho-dev

.github/workflows/gitleaks-scan.yml

@@ -67,7 +67,7 @@ jobs:
 
       - name: Run Gitleaks scan
         id: scan
-        uses: gitleaks/gitleaks-action@1f2d10fb689bc07a5f56f48d6db61f94beba84ae # v2.4.0
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_CONFIG: ${{ inputs.config-path }}

.github/workflows/trivy-scan.yml

@@ -76,7 +76,7 @@ jobs:
 
       - name: Run Trivy scanner
         id: scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           scan-type: ${{ inputs.scan-type }}
           scan-ref: ${{ inputs.scan-ref }}
@@ -88,6 +88,7 @@ jobs:
           skip-dirs: ${{ inputs.skip-dirs }}
           timeout: ${{ inputs.timeout }}
           trivyignores: '.trivyignore'
+          version: 'v0.65.0'
 
       - name: Count findings
         id: count