fix: remove push trigger from security.yml and upgrade codeql-action to v4

security.yml ran concurrently with build.yml on push to main, trying to scan
GHCR images that hadn't been pushed yet. Weekly schedule is sufficient since
build.yml already scans images during CI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: maatini

.github/workflows/build.yml

@@ -113,7 +113,7 @@ jobs:
 
       - name: Upload Trivy SARIF
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: trivy.sarif
           category: trivy-${{ matrix.service }}

.github/workflows/security.yml

@@ -1,8 +1,6 @@
 name: Security
 
 on:
-  push:
-    branches: [main]
   schedule:
     - cron: '0 5 * * 1'  # Monday 05:00 UTC
 
@@ -58,7 +56,7 @@ jobs:
 
       - name: Upload Trivy SARIF
         if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: trivy.sarif
           category: trivy-weekly-${{ matrix.service }}