security: pin trivy-action to v0.35.0 (supply chain fix)

Trivy ecosystem supply chain attack (GHSA-69fq-xp46-6x23, March 19-20 2026):
- aquasecurity/trivy-action @master and v0.0.1-v0.34.0 force-pushed with malware
- Pinning to clean aquasecurity/trivy-action@v0.35.0 (uses trivy v0.69.3)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: PenguinzTech

.github/workflows/build-and-test.yml

@@ -305,7 +305,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'

.github/workflows/ci.yml

@@ -93,7 +93,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@v0.35.0
       with:
         scan-type: 'fs'
         scan-ref: '.'

.github/workflows/modular-lb-ci.yml

@@ -269,7 +269,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.35.0
         with:
           scan-type: 'fs'
           scan-ref: '.'

.github/workflows/security.yml

@@ -104,14 +104,14 @@ jobs:
         docker build -t marchproxy/proxy:scan --target proxy .
 
     - name: Run Trivy container scan - Manager
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@v0.35.0
       with:
         image-ref: 'marchproxy/manager:scan'
         format: 'sarif'
         output: 'trivy-manager-results.sarif'
 
     - name: Run Trivy container scan - Proxy
-      uses: aquasecurity/trivy-action@master
+      uses: aquasecurity/trivy-action@v0.35.0
       with:
         image-ref: 'marchproxy/proxy:scan'
         format: 'sarif'