Integrate Trivy into workflows

[nipunayf]

Purpose

This PR introduces the Trivy scanner for two scenarios in the CI/CD pipeline:

1. Runs daily to detect all vulnerabilities.
2. Runs before release and fails if any high or critical vulnerabilities are found.

Since we create a single uber JAR and do not have each dependent JAR in the file system, traditional file scanning is not feasible (like we did in other repos). Instead, we use cyclonedxBom to generate the SBOM and run Trivy against it.

Fixes wso2/product-ballerina-integrator#506

[Copilot]

Pull Request Overview

This PR integrates Trivy vulnerability scanning into the CI/CD pipeline to enhance security by detecting vulnerabilities in dependencies. The implementation includes both daily scheduled scans for comprehensive vulnerability detection and pre-release scans that fail on high/critical vulnerabilities.

• Adds CycloneDX BOM plugin for generating SBOMs since traditional file scanning isn't feasible with uber JARs
• Creates a dedicated Trivy workflow for daily vulnerability scanning
• Integrates Trivy scanning into the release workflow with severity filtering

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.

File	Description
gradle.properties	Adds CycloneDX BOM plugin version for SBOM generation
.github/workflows/trivy.yml	New workflow for daily Trivy vulnerability scanning
.github/workflows/publish-release.yml	Integrates Trivy scanning into release process with high/critical severity filtering

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}