Add composite action for Chef product download and Grype vulnerability scanning

[peter-at-progress]

Description

Adds a reusable composite action that automates the process of downloading Chef products from downloads.chef.io and running Grype vulnerability scans. This action:

• Resolves latest product versions from Chef downloads API (commercial or community)
• Downloads and extracts packages for specified OS/architecture combinations
• Runs Grype security scans with JSON output
• Generates metadata including version info, scan environment, and severity counts
• Provides clear error messages for common failure modes (license expiration, auth issues)

Files added:

• action.yml - Composite action definition
• run.py - Python implementation

Related Issue

N/A - New capability for vulnerability scanning automation

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

• [X ] I have read the CONTRIBUTING document.
• I have run the pre-merge tests locally and they pass.
• I have updated the documentation accordingly.
• I have added tests to cover my changes. (Note: Composite actions validated through integration testing; action tested via 9 successful runs in chef-vuln-scan-orchestrator)
• If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
• All new and existing tests passed.
• All commits have been signed-off for the Developer Certificate of Origin.

[sean-sype-simmons]

@peter-at-progress - this is pretty neat. Where are we wanting to run this pipeline? Is it being called by another action somewhere?

[peter-at-progress]

@sean-sype-simmons Yes, this is being called by an action that runs a Grype scan on the released binaries. That action is in a private repo.