Replace aquasecurity/trivy-action with direct install

The Trivy GitHub Action wrapper does nested checkouts and auth-juggling
that breaks on Self-Hosted Gitea Actions: 'Failure - Main Checkout
install script' on the first HellionChat run. Switching to the
upstream install.sh + plain `trivy fs` invocation has a smaller
surface and removes the action-internal git clone dance entirely.

.gitea/workflows/security-scan.yml

@@ -47,14 +47,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install Trivy
+        # Direct install via the official upstream script. The aquasecurity/
+        # trivy-action wrapper does nested checkouts and auth-juggling that
+        # does not play well with Self-Hosted Gitea Actions, this is more
+        # robust and a smaller surface.
+        run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
+
       - name: Run Trivy filesystem scan
         # Scans dependency manifests (NuGet, npm, package-lock etc.) against
-        # the NVD CVE database. ignore-unfixed skips findings that have no
-        # patched version available so we focus on actionable items.
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: fs
-          scan-ref: .
-          severity: ${{ inputs.severity }}
-          exit-code: '1'
-          ignore-unfixed: true
+        # the NVD CVE database. --ignore-unfixed skips findings that have
+        # no patched version available so we focus on actionable items.
+        run: trivy fs --severity ${{ inputs.severity }} --exit-code 1 --ignore-unfixed .