chore: bump Trivy 0.69.3→0.70.0, auto-close stale vuln PRs, restrict push to main

[hsri-pf9]

Summary

• Bumps pinned Trivy version in .github/workflows/security-scan.yml from 0.69.3 to 0.70.0 (where applicable)
• Adds Close Stale Vulnerability PR (if clean) step to each scanner job (gosec/bandit/trivy) — automatically closes the report PR when a subsequent scan finds no HIGH/CRITICAL vulnerabilities
• Restricts on.push.branches to main only, removing any other branches

Changes

Trivy version bump

• sudo apt install -y trivy=0.69.3 jq → sudo apt install -y trivy=0.70.0 jq (skipped if repo does not pin trivy via apt)

Auto-close stale vulnerability PRs

Previously, if a scan found vulnerabilities and raised a report PR (e.g. auto/trivy-scan/main), that PR stayed open forever once the issue was fixed. Added a close step to each scanner job that:

• Runs only on push events when no HIGH/CRITICAL vulnerabilities are found
• Finds any open PR on the auto/<scanner>-scan/<branch> branch and closes it with an explanatory comment

Push trigger cleanup

• Removed non-main branches from on.push.branches

Test plan

• CI installs the correct Trivy version (0.70.0) on this PR
• Merge a fix to a branch that has an open vulnerability report PR and confirm the report PR is auto-closed