fix(ci): replace flaky trivy-action with direct binary install

Same pattern as the gitleaks fix: aquasecurity/trivy-action@master does
a nested actions/checkout to fetch its install script, which fails on
the Gitea runner. Switch fs-scan and image-scan to download the trivy
binary release directly and invoke it. Pinned to v0.58.1.

.gitea/workflows/ci.yml

@@ -58,12 +58,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: fs
-          severity: "HIGH,CRITICAL"
-          exit-code: "1"
-          ignore-unfixed: "true"
+      - name: Install and run Trivy (filesystem)
+        run: |
+          TRIVY_VERSION=0.58.1
+          curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
+            | tar xz -C /tmp trivy
+          /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress .
 
   build:
     runs-on: ubuntu-latest
@@ -95,12 +95,13 @@ jobs:
           tags: movieloop-frontend:ci-${{ github.sha }}
           load: true
           cache-from: type=gha
-      - uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: movieloop-frontend:ci-${{ github.sha }}
-          severity: "HIGH,CRITICAL"
-          exit-code: "1"
-          ignore-unfixed: "true"
+      - name: Install and run Trivy (image)
+        run: |
+          TRIVY_VERSION=0.58.1
+          curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
+            | tar xz -C /tmp trivy
+          /tmp/trivy image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress \
+            movieloop-frontend:ci-${{ github.sha }}
 
   push:
     runs-on: ubuntu-latest