fix(ci): use oci-archive format for trivy scan and cache vulndb

The image was built and saved as an OCI archive (via buildah push
oci-archive:...) but trivy was invoked with --input which only
accepts Docker-format tars. Switch to the oci-archive: image
reference so trivy correctly parses the OCI layout.

Also add a GitHub Actions cache step for ~/.cache/trivy so the
85 MiB vulnerability DB is not re-downloaded on every release run.

https://claude.ai/code/session_01FovhL9GqcEehmbUDtPyt5Z

Author: claude

.github/workflows/release.yaml

@@ -101,14 +101,22 @@ jobs:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
         run: dive --ci --source=docker "${IMAGE_NAME}:${IMAGE_VERSION}"
 
+      - name: Cache Trivy vulnerability DB
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/trivy
+          key: trivy-db-${{ runner.os }}-${{ github.run_id }}
+          restore-keys: |
+            trivy-db-${{ runner.os }}-
+
       - name: Trivy vulnerability scan
         env:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
         run: |
           trivy image \
-            --input "build/${IMAGE_NAME}.tar" \
             --severity HIGH,CRITICAL \
-            --exit-code 1
+            --exit-code 1 \
+            "oci-archive:build/${IMAGE_NAME}.tar"
 
       - name: Login to GHCR
         env: