fix: default Trivy scan to main image tag instead of latest

The `main` tag is built on every push to main (release-dev.yml), while
`latest` is only set on production releases. Scanning `main` ensures
we're triaging the current codebase.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: msukkari

.github/workflows/trivy-vulnerability-triage.yml

@@ -7,9 +7,9 @@ on:
   workflow_dispatch:
     inputs:
       image_tag:
-        description: 'Image tag to scan (default: latest)'
+        description: 'Image tag to scan (default: main)'
         required: false
-        default: 'latest'
+        default: 'main'
       dry_run:
         description: 'Dry run (analyze but do not create Linear issues)'
         required: false
@@ -50,7 +50,7 @@ jobs:
       - name: Run Trivy vulnerability scan
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "${{ env.IMAGE }}:${{ inputs.image_tag || 'latest' }}"
+          image-ref: "${{ env.IMAGE }}:${{ inputs.image_tag || 'main' }}"
           format: "json"
           output: "trivy-results.json"
           trivy-config: trivy.yaml
@@ -77,7 +77,7 @@ jobs:
         run: |
           echo "## Trivy Scan" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "**Image:** \`${{ env.IMAGE }}:${{ inputs.image_tag || 'latest' }}\`" >> "$GITHUB_STEP_SUMMARY"
+          echo "**Image:** \`${{ env.IMAGE }}:${{ inputs.image_tag || 'main' }}\`" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
           if [ "${{ steps.check.outputs.has_vulnerabilities }}" = "true" ]; then
             VULN_COUNT=$(jq '[.Results[]? | .Vulnerabilities[]?] | length' trivy-results.json)