fix: update trivy-action to v0.35.0 (post-compromise safe SHA) and pin trivy v0.69.3

The v0.33.1 SHA (b6643a29) was in the compromised range from the
March 19 supply chain attack. Updated to v0.35.0 (57a97c7e) which
is the verified safe release. Pinned trivy binary to v0.69.3 to
avoid 'missing release artifacts' failures on auto-detected versions.

Author: samuelho-dev

.github/workflows/docker-build-push.yml

@@ -168,23 +168,25 @@ jobs:
 
       - name: Run Trivy vulnerability scanner (table output)
         if: inputs.scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }}
           format: 'table'
           severity: ${{ inputs.severity }}
           timeout: '10m'
           exit-code: '0' # Don't fail on vulnerabilities, just report
+          version: 'v0.69.3'
 
       - name: Run Trivy vulnerability scanner (SARIF output)
         if: inputs.scan && inputs.upload-sarif
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }}
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: ${{ inputs.severity }}
           timeout: '10m'
+          version: 'v0.69.3'
 
       - name: Upload Trivy scan results to GitHub Security
         if: inputs.scan && inputs.upload-sarif