ci: use centralized vuln remediation workflow from infra

[ulziibay-kernel]

Replace per-repo workflow + prompt with a thin caller that invokes the reusable 3-stage pipeline (triage → fix → PR) in kernel/infra. Per-repo config in .github/vuln-remediation.json.

Made with Cursor

---

Note

Low Risk
Adds a scheduled/dispatchable GitHub Actions workflow that delegates to an external reusable remediation pipeline; impact is limited to CI automation and PR creation permissions.

Overview
Introduces a new Vulnerability Remediation GitHub Actions workflow that runs weekly (and on manual dispatch) and delegates triage→fix→PR to the reusable kernel/security-workflows pipeline, configured with server/go.mod and Python setup.

Adds socket.yml configuration to ignore vulnerability scanning for shared/cdp-test/ and images/chromium-headful/client/.

^{Reviewed by Cursor Bugbot for commit eefa273. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0b5bcf5. Configure here.}

[cursor]

Mutable branch ref for secrets-inheriting reusable workflow

Medium Severity

The reusable workflow at kernel/infra is referenced by a mutable branch name (@security/vuln-remediation-reusable) rather than a pinned commit SHA, while also using secrets: inherit with contents: write and pull-requests: write permissions. Any push to that branch in kernel/infra would immediately execute new code with this repo's full secrets and write token, without any change or review in this repo. All other reusable workflow calls in this repo are local; this is the first external reference and warrants SHA pinning.

 

^{Reviewed by Cursor Bugbot for commit 0b5bcf5. Configure here.}