Improve CVE scanning on the PRs to the k3s repo

[caroline-suse-rancher]

In an effort to improve our rate of dependency bumps and CVE fixes, we would like more visibility into our scan results on each PR to the k3s project. This will likely involve a new GHA or something to that effect to expose the results of our CVE scans (right now we use Trivy) for each PR. That way we can evaluate what needs to be done on a release to release basis to mitigate CVEs.

[harsimranmaan]

Would be nice to generate SBOMs and attestations for each release too

[dereknola]

After far, far to many PRs, due to this workflow running on master (thus new code cannot be live tested until it is actually merged), this feature is finally complete. Any registered k3s-io org member (that is PUBLIC) can call /trivy as a comment and the bot will respond and generate a report.