Drop the push paths filter so secret and misconfig scans cover all file types
(YAML, JSON, native, scripts), not just JS/TS. Replace the per-run
github.run_id cache key with a weekly per-OS key, so the vulnerability DB is
reused within the week instead of writing a fresh immutable cache entry on
every run.
Streamyfin ships no container image, so this runs a Trivy *filesystem* scan
(vulnerable deps, secrets, misconfig) and uploads SARIF to GitHub code scanning,
complementing CodeQL and dependency-review. Runs on push to develop/master,
weekly, and on demand (not on PRs — fork PRs can't upload SARIF, and
dependency-review already gates PR dependencies). Reports findings (CRITICAL/HIGH,
ignore-unfixed) without failing the build; the Security tab surfaces them.
