CI: Make CVE scan blocking on PRs, informational on main

[kevinjqliu]

Follow up to #15430 and #16291.

This make the CVE scan blocking on PRs but only information on main (CVEs will be sent to the Github "security" tab)

Note that all (except 1) CVEs found was fix forward in #16290
The 1 leftover CVE is for Spark 3.4. Adding it to the trivy ignore list for now since we'll be removing Spark 3.4 very soon (#14122)
We should not use trivy ignore list in general, this is an exception.

[rmoff]

The idea of running on PR is in case the PR were to introduce a CVE.

[kevinjqliu]

The idea of running on PR is in case the PR were to introduce a CVE.

what about information only for main branch but blocking on PR?

[huaxingao]

I think we need to fail on PR and be informational on main. I actually found my way to this PR because the post-merge scan on #16279 failed, and I'd rather have seen those CVEs at review time than after they landed on main.

[kevinjqliu]

made the change to block for PR.
should merge the CVE fix PR first (#16290)

[kevinjqliu]

one consideration is that there is a "unfixable" CVE in main (see #16290)

Known unfixable

CVE	Modules	Package	Reason
CVE-2025-52999	spark-3.4	jackson-core@2.14.2	Pinned to 2.14.2 for Spark 3.4 compatibility. Fix requires 2.15.0+.

I think we could add this to a .trivyignore list for now. The issue will be resolved once we remove Spark 3.4, which should be very soon, right after the 1.11 release.
I generally dont like .trivyignore as we are purposing ignoring CVEs but for this specific instance, i think its the best path forward

[rmoff]

I think we could add this to a .trivyignore list for now.

+1