ci: fix Security Scan, Coverage, and PR Review CI failures

- Add .trivyignore for CVE-2026-34040 (docker/docker via bufbuild/buf);
  fixed version v29.3.1 not yet published to Go module proxy
- Set fail_ci_if_error: false on Codecov upload; Dependabot PRs lack
  CODECOV_TOKEN access, blocking CI on passing test runs
- Separate stderr from stdout in ckb review step; mixed output caused
  jq parse failures and empty SCORE in the fail verdict check

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: SimplyLiz

.github/workflows/ci.yml

@@ -229,7 +229,7 @@ jobs:
           BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           set +e
-          ckb review --ci --base="${BASE_REF}" --format=json > review.json 2>&1
+          ckb review --ci --base="${BASE_REF}" --format=json > review.json 2>review_err.txt
           EXIT_CODE=$?
           set -e
 

.github/workflows/cov.yml

@@ -63,7 +63,7 @@ jobs:
         with:
           files: coverage.out
           flags: unit
-          fail_ci_if_error: true
+          fail_ci_if_error: false
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 

.trivyignore

@@ -0,0 +1,6 @@
+# CVE-2026-34040: docker/docker authorization bypass
+# Affects github.com/docker/docker < v29.3.1, pulled in transitively by
+# bufbuild/buf → bufplugindocker. The fixed version (v29.3.1) has not been
+# published to the Go module proxy yet. Revisit when buf ships a release
+# that depends on docker/docker >= v29.3.1.
+CVE-2026-34040