fix(ci): repair security-scan job (valid Trivy action + SARIF permissions)

The job pinned aquasecurity/trivy-action@0.28.0, a tag that no longer
resolves, so the job failed at startup. Bump to 0.35.0 and grant the
security-events: write permission the SARIF upload step needs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: InfantLab

.github/workflows/ci-cd.yml

@@ -179,12 +179,15 @@ jobs:
   security-scan:
     runs-on: ubuntu-latest
     needs: test
+    permissions:
+      contents: read
+      security-events: write
 
     steps:
       - uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: "fs"
           scan-ref: "."