ci: use centralized vuln remediation workflow from infra (#206)

Replace per-repo workflow + prompt with a thin caller that invokes the
reusable 3-stage pipeline (triage → fix → PR) in kernel/infra. Per-repo
config in .github/vuln-remediation.json.

Made with [Cursor](https://cursor.com)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Medium risk because it introduces an automated workflow with
`contents`/`pull-requests` write permissions and delegates execution to
an external reusable workflow, which could affect repo automation
behavior.
> 
> **Overview**
> Adds a new scheduled/manual `.github/workflows/vuln-remediation.yml`
that calls the centralized `kernel/security-workflows` reusable
vulnerability remediation pipeline, passing `server/go.mod` for Go
version detection and enabling Python setup.
> 
> Introduces `socket.yml` to configure Socket scanning ignore paths for
`shared/cdp-test/` and `images/chromium-headful/client/`.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
66c4c45. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: ulziibay-kernel

.github/workflows/vuln-remediation.yml

@@ -0,0 +1,18 @@
+name: Vulnerability Remediation
+
+on:
+  schedule:
+    - cron: '0 3 * * 3'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  remediate:
+    uses: kernel/security-workflows/.github/workflows/vuln-remediation.yml@main
+    with:
+      go-version-file: 'server/go.mod'
+      setup-python: true
+    secrets: inherit

socket.yml

@@ -0,0 +1,4 @@
+version: 2
+projectIgnorePaths:
+  - "shared/cdp-test/"
+  - "images/chromium-headful/client/"