ci: use centralized vuln remediation workflow from infra

[ulziibay-kernel]

Replace per-repo workflow + prompt with a thin caller that invokes the reusable 3-stage pipeline (triage → fix → PR) in kernel/infra. Per-repo config in .github/vuln-remediation.json.

Made with Cursor

---

Note

Low Risk
Low risk CI/config-only change; it affects automated remediation scheduling and scanner scope but does not change application runtime behavior.

Overview
Adds a new GitHub Actions workflow (.github/workflows/vuln-remediation.yml) that runs on a weekly cron (and manually) and delegates remediation to the reusable kernel/security-workflows pipeline, passing server/go.mod for Go versioning and inheriting secrets.

Introduces socket.yml to configure Socket scanning, ignoring shared/cdp-test/ and images/chromium-headful/client/.

^{Reviewed by Cursor Bugbot for commit 80546a7. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0b5bcf5. Configure here.}

[cursor]

Mutable branch ref for secrets-inheriting reusable workflow

Medium Severity

The reusable workflow at kernel/infra is referenced by a mutable branch name (@security/vuln-remediation-reusable) rather than a pinned commit SHA, while also using secrets: inherit with contents: write and pull-requests: write permissions. Any push to that branch in kernel/infra would immediately execute new code with this repo's full secrets and write token, without any change or review in this repo. All other reusable workflow calls in this repo are local; this is the first external reference and warrants SHA pinning.

 

^{Reviewed by Cursor Bugbot for commit 0b5bcf5. Configure here.}