ENH: Add vulnerability scan workflow with grype

* Add GitHub Actions workflow that runs a vulnerability scan with grype
  (https://github.com/anchore/grype) on the conda packages in the Pixi
  environment. Check for installed versions that have releases with known
  fixes.
* Add .grype.yaml to ignore python packages and focus on conda-forge conda
  packages.

Author: matthewfeickert

.github/workflows/grype.yml

@@ -0,0 +1,37 @@
+name: Vulnerability scans
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'pixi.lock'
+      - '.github/workflows/grype.yml'
+  pull_request:
+    paths:
+      - 'pixi.lock'
+      - '.github/workflows/grype.yml'
+  schedule:
+  # Sunday at 01:59 UTC
+  - cron: '59 01 * * 0'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  grype-scan:
+    name: "Scan action pixi environment"
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Set up pixi
+        uses: prefix-dev/setup-pixi@1b2de7f3351f171c8b4dfeb558c639cb58ed4ec0  # v0.9.5
+        with:
+          locked: true
+
+      - name: Scan with grype
+        run: pixi exec grype .pixi/envs/default --only-fixed --fail-on high

.grype.yaml

@@ -0,0 +1,4 @@
+ignore:
+  - package:
+      # only show vulnerabilities from conda-forge conda packages
+      type: python