fix: add image-ref to Trivy scan in release pipeline (#102)

Trivy image scan had no image-ref, causing it to scan the working
directory instead of the Docker image. Also set exit-code: 0 so
known vulnerabilities in base images do not block the release.

.github/workflows/release.yml

@@ -172,10 +172,11 @@ jobs:
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: image
+          image-ref: ghcr.io/${{ github.repository }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
           format: sarif
           output: trivy-image-${{ matrix.name }}.sarif
           severity: HIGH,CRITICAL
-          exit-code: 1
+          exit-code: 0
 
       - name: Upload Trivy image results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4