chore(ci): remove vulnerability-scan, add security-slack-notify

[PMerlet]

Summary

• Removes `vulnerability-scan.yml` (weekly Trivy scan + Slack post). Security vulnerabilities are now handled by a Claude routine running weekly.
• Adds `security-slack-notify.yml` — thin caller workflow that posts to #tech_all when a PR is labeled `:lock: security`. Mirrors what is already in place on forestadmin-server.

Test plan

• End-to-end Slack notification flow verified in forestadmin-server (test PR closed)
• After merge, label a PR with `:lock: security` to confirm the workflow fires in this repo too

Note: needs the org-level `SLACK_BOT_TOKEN` secret to be accessible by this repo, and the corresponding Slack bot to be a member of #tech_all.

🤖 Generated with Claude Code

Note

Replace vulnerability-scan workflow with security PR Slack notification workflow

• Removes vulnerability-scan.yml, which ran a weekly scheduled scan every Friday and supported manual dispatch.
• Adds security-slack-notify.yml, a workflow that triggers when a PR is labeled :lock: security and posts a Slack notification via a reusable notify-slack-security-pr workflow with PR metadata and repository name.
• Risk: the weekly vulnerability scan will no longer run automatically or send its associated notifications.

^{Macroscope summarized 728d863.}

[qltysh]

Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.