chore: disable upstream CI, add SBOM workflow

- Disable ci.yml and verify-templating.yml (upstream CI, not needed)
- Add sbom.yml: build image, generate CycloneDX SBOM (Syft),
  scan vulnerabilities (Grype), upload artifact

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: inkme9

.github/workflows/ci.yml .github/workflows/ci.yml.disabled.github/workflows/ci.yml renamed to .github/workflows/ci.yml.disabled

@@ -0,0 +1,38 @@
+name: SBOM & Vulnerability Scan
+
+on:
+  push:
+    branches: [master, fix/*]
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    name: Generate SBOM and scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: |
+          docker build -t postgres:local -f 18/alpine3.23/Dockerfile 18/alpine3.23/
+
+      - name: Generate SBOM (Syft)
+        uses: anchore/sbom-action@v0
+        with:
+          image: postgres:local
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+
+      - name: Scan vulnerabilities (Grype)
+        uses: anchore/scan-action@v6
+        with:
+          image: postgres:local
+          fail-build: false
+          output-format: table
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-postgres
+          path: sbom.cdx.json
+          retention-days: 90