Fix security scanning to update GitHub Security alerts

Changes to ensure fresh security alerts on GitHub:
- Remove path filtering to run security scans on all pushes/PRs
- Add fetch-depth: 0 for complete repository scanning
- Add exit-code: 0 to prevent workflow failures from blocking alerts
- Remove redundant GITHUB_TOKEN env (inherited from permissions)
- Simplify workflow triggers for more frequent security updates

This ensures the Security tab shows current scan results instead of
referencing outdated workflow configurations.

Signed-off-by: Ihor Dvoretskyi <[email protected]>

Author: idvoretskyi

.github/workflows/security.yml

@@ -2,19 +2,12 @@ name: Security Analysis
 
 on:
   schedule:
-    # Run security scans daily at 2 AM UTC
     - cron: '0 2 * * *'
   push:
     branches: [ main ]
-    paths:
-      - '.devcontainer/**'
-      - '.github/workflows/security.yml'
   pull_request:
     branches: [ main ]
-    paths:
-      - '.devcontainer/**'
-      - '.github/workflows/security.yml'
-  workflow_dispatch: # Allow manual trigger
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -27,6 +20,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Build Docker image for scanning
         run: |
@@ -41,15 +36,14 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
+          exit-code: '0'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
           category: 'trivy-image-scan'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate SBOM
         uses: anchore/sbom-action@v0
@@ -73,12 +67,11 @@ jobs:
           format: 'sarif'
           output: 'trivy-fs-results.sarif'
           severity: 'CRITICAL,HIGH'
+          exit-code: '0'
 
       - name: Upload filesystem scan results
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: 'trivy-fs-results.sarif'
-          category: 'trivy-filesystem-scan'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          category: 'trivy-filesystem-scan'