ci(docker): fail image build on CRITICAL/HIGH Trivy findings

- Add a table-format Trivy scan with exit-code 1 after the SARIF record
- Block the subsequent registry push when CRITICAL or HIGH CVEs are found
- Keep SARIF upload running via if: always() for Security tab visibility

Author: appleboy

.github/workflows/docker.yml

@@ -84,9 +84,19 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4
+        if: always()
         with:
           sarif_file: "trivy-docker-results.sarif"
 
+      - name: Trivy image scan (fail on CRITICAL/HIGH)
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          image-ref: ${{ env.REPO }}:scan
+          ignore-unfixed: true
+          format: "table"
+          severity: "CRITICAL,HIGH"
+          exit-code: "1"
+
       - name: Build and push
         uses: docker/build-push-action@v7
         with: