ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)

- Insert anchore/scan-action@v5 step between Build and Push
- severity-cutoff: high, only-fixed: true (matches monorepo pattern)
- Add inline comment on provenance:false/sbom:false explaining OCI distribution
  spec >=1.1 limitation on git.farh.net registry

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -67,11 +67,28 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Scan Docker image
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
       - name: Push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
+          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
+          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
+          # would cause the push to fail on the referrer PUT. The Grype scan step
+          # above is the compensating control — it fails the build on any unfixed
+          # high-severity CVE before the image reaches the registry.
           provenance: false
           sbom: false
           tags: ${{ steps.meta.outputs.tags }}