ci: extend Trivy gate beyond amd64

[KingPin]

Context

In PR #37 the publish gate moved to Trivy in build-and-test, but the scan only runs on the amd64 matrix leg (if: matrix.arch == 'amd64' at .github/workflows/docker-ci.yml:367). arm64 and armv7 images still publish without a vulnerability scan, so an arch-specific binary CVE could ship.

Most vulnerabilities come from base OS packages that are identical across architectures, so the amd64 scan is a strong proxy. But install-php-extensions and a handful of native libs (libpng, libavif, vips, etc.) produce per-arch binaries that could in principle differ — and the gate as configured does not catch those.

Options

1. Scan every arch leg. Drop the matrix.arch == 'amd64' guard. Cheap on native arm64 (ubuntu-24.04-arm) but armv7 runs under QEMU and adds noticeable wall time.
2. Scan the merged manifest after publish-merge. Single Trivy invocation against the final multi-arch tag. Moves the gate after publish, which weakens the original "gate before push" property of Optimize build + CI workflow: per-arch parallel builds, Trivy gating, SBOM #37.
3. Scan amd64 + arm64 (skip armv7). Hybrid: catches the two architectures users actually consume in production without the QEMU tax. armv7 stays implicitly trusted via the amd64 scan.

Acceptance

• Decide on one of the above (or another) and document the rationale inline in the workflow.
• If extending scans to additional arches, ensure SARIF uploads still go to distinct category: values so the Security tab doesn't overwrite findings between arches.

Original Copilot review comment: #37 (comment)... (see PR #37 review thread).