fix(ci): bump helm to 4.1.4 for plugin CVE fixes

[johntmyers]

Summary

Bumps the helm pin in mise.toml from 4.1.1 to 4.1.4 to clear four High-severity container findings against ghcr.io/nvidia/openshell/ci. Source: nSpect Security Tracker (NSPECT-4VVR-UWWE).

Related Issue

No tracking issue — direct remediation from the nSpect tracker; security vulns are not filed as GitHub issues per SECURITY.md.

Changes

• mise.toml: helm = "4.1.1" → helm = "4.1.4"

Addresses:

• CVE-2026-35204 / GHSA-vmx8-mqv2-9gmg — Helm plugin path traversal allows arbitrary file write outside plugin dir
• CVE-2026-35205 / GHSA-q5jf-9vfq-h4h7 — Helm plugin verification fails open when .prov is missing

Testing

• mise run pre-commit — license:check fails on pre-existing gitignored files in architecture/plans/, not related to this change; no pre-commit hook installed locally
• Unit tests added/updated — N/A (tool version pin)
• E2E tests added/updated — will run on this PR via CI
• mise install resolves helm@4.1.4 — deferred to CI image rebuild

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated — N/A

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-928.docs.buildwithfern.com/openshell