fix: replace gosu with su-exec (CVE-2025-68121) (#1)

* fix: replace gosu with su-exec to eliminate Go stdlib CVE

gosu 1.19 is built with Go 1.24.6 which contains CVE-2025-68121
(fixed in 1.24.13). No newer gosu release available.

su-exec is a minimal C alternative available in Alpine packages,
providing the same CLI interface. Symlink gosu -> su-exec maintains
compatibility with docker-entrypoint.sh.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: disable upstream CI, add SBOM workflow

- Disable ci.yml and verify-templating.yml (upstream CI, not needed)
- Add sbom.yml: build image, generate CycloneDX SBOM (Syft),
  scan vulnerabilities (Grype), upload artifact

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: inkme9

.github/workflows/ci.yml .github/workflows/ci.yml.disabled.github/workflows/ci.yml renamed to .github/workflows/ci.yml.disabled

@@ -0,0 +1,40 @@
+name: SBOM & Vulnerability Scan
+
+on:
+  push:
+    branches: ["release/*"]
+  pull_request:
+    branches: ["release/*"]
+  workflow_dispatch:
+
+jobs:
+  sbom:
+    name: Generate SBOM and scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build image
+        run: |
+          docker build -t postgres:local -f 18/alpine3.23/Dockerfile 18/alpine3.23/
+
+      - name: Generate SBOM (Syft)
+        uses: anchore/sbom-action@v0
+        with:
+          image: postgres:local
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+
+      - name: Scan vulnerabilities (Grype)
+        uses: anchore/scan-action@v6
+        with:
+          image: postgres:local
+          fail-build: false
+          output-format: table
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-postgres
+          path: sbom.cdx.json
+          retention-days: 90