feat: Add validate lockfile workflow to complement CVE scanning

[Fiona-Waters]

What this PR does / why we need it:

This PR adds a workflow to prevent dependency security regressions by validating uv.lock changes on every PR.

What It Does

• Validates lockfile sync: Ensures uv lock was run after pyproject.toml changes
• Scans for CVEs: Uses Trivy to scan both the PR branch and base branch lockfiles for HIGH/CRITICAL vulnerabilities
• Prevents regressions: Blocks PRs that introduce CVEs not present in the base branch
• Smart comparison: Compares CVE+Package (not version) to avoid false positives when upgrading within a vulnerable range
• Developer-friendly feedback: Posts/updates a single comment with CVE details, advisory links, and fix instructions
• Auto-cleanup: Deletes the warning comment when CVEs are resolved
• Optimized: Only scans lockfiles (not entire codebase), cancels outdated runs when new commits are pushed

Why This Matters

Works alongside the nightly Trivy workflow and Dependabot to ensure:

• CVE fixes from automated PRs aren't accidentally reverted by developer changes
• Developers get immediate feedback if their dependency updates introduce vulnerabilities
• Main branch maintains a secure dependency baseline

Required Setup

After merging, add branch protection rule for main:

• Require status check: check-security-regressions (This will be available after the first workflow run)
• Require branches to be up-to-date before merging (prevents race conditions)

Which issue(s) this PR fixes (optional, in Fixes #<issue number>, #<issue number>, ... format, will close the issue(s) when PR gets merged):

Fixes #

Checklist:

• Docs included if any changes are user facing

cc @andreyvelich

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign andreyvelich for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coveralls]

Pull Request Test Coverage Report for Build 22148356746

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 76.574%

---

Totals
Change from base Build 22144252595:	0.0%
Covered Lines:	4331
Relevant Lines:	5656

---

💛 - Coveralls

[Copilot]

Pull request overview

This PR adds a comprehensive security validation workflow that prevents dependency regression by scanning lockfile changes for CVEs on every PR that modifies uv.lock or pyproject.toml.

Changes:

• Adds automated lockfile sync validation to ensure developers run uv lock after modifying dependencies
• Implements CVE regression detection by comparing PR branch vulnerabilities against the base branch baseline
• Provides developer-friendly feedback through automated PR comments that include CVE details, advisory links, and remediation steps