ci: bump trivy to v0.70.0 and setup-trivy to v0.2.6 to fix REL_5_8 CI

Two related Aqua Security artifacts were removed/GC'd, breaking the
trivy-cache, licenses, secrets, and vulnerabilities jobs on every PR
and push to REL_5_8:
  1. The trivy binary v0.65.0 release artifact was removed by Aqua's
     usual GC of older releases, so `setup-trivy` cannot download it.
  2. The aquasecurity/setup-trivy@v0.2.5 action wrapper version was
     itself removed from the marketplace; the action runner reports
     `Unable to resolve action 'aquasecurity/setup-trivy@v0.2.5'`.
Bump both:
  - trivy binary v0.65.0 -> v0.70.0 (the version pinned on main)
  - aquasecurity/setup-trivy v0.2.5 -> v0.2.6
This supersedes #4465 (which only does the action wrapper bump) so it
can be closed once this lands.

Author: ValClarkson

.github/actions/trivy/action.yaml

@@ -39,7 +39,7 @@ inputs:
       The value "skip" fetches no Trivy data at all.
 
   setup:
-    default: v0.65.0,cache
+    default: v0.70.0,cache
     description: >-
       How to install Trivy; one or more of version, none, or cache.
       The value "none" does not install Trivy at all.
@@ -84,7 +84,7 @@ runs:
     # Install Trivy as requested.
     # NOTE: `setup-trivy` can download a "latest" version but cannot cache it.
     - if: ${{ ! contains(fromJSON(steps.parsed.outputs.setup), 'none') }}
-      uses: aquasecurity/setup-trivy@v0.2.5
+      uses: aquasecurity/setup-trivy@v0.2.6
       with:
         cache: ${{ contains(fromJSON(steps.parsed.outputs.setup), 'cache') }}
         version: ${{ steps.parsed.outputs.version }}