Add CVE scan GitHub workflow that is triggered on pull requests

[weresch]

Thank you for contributing to the CF CLI! Please read the following:

• Please make sure you have implemented changes in line with the contributing guidelines
• We're not allowed to accept any PRs without a signed CLA, no matter how small.
  If your contribution falls under a company CLA but your membership is not public, expect delays while we confirm.
• All new code requires tests to protect against regressions.
• Contributions must be made against the appropriate branch. See the contributing guidelines
• Contributions must conform to our style guide. Please reach out to us if you have questions.

Note: Please create separate PR for every branch (main, v8 and v7) as needed.

Description of the Change

Adding a CVE scan GitHub workflow on PRs. This has been merged to main, this PR is for v8 branch.

Why Is This PR Valuable?

The CVE scan GitHub workflow on PRs helps prevent known CVEs from being added to the codebase.

Applicable Issues

No applicable issues

How Urgent Is The Change?

Not urgent

Other Relevant Parties

No one else

[joaopapereira]

LGTM

[a-b]

LGTM

[chinigo]

[This is essentially the same comment as on #2979, the v7 variant of this PR.]

There were no checks run against this PR, which surprises me. According to the docs:

Each workflow run will use the version of the workflow that is present in the associated commit SHA or Git ref of the event. When a workflow runs, GitHub sets the GITHUB_SHA (commit SHA) and GITHUB_REF (Git ref) environment variables in the runner environment. For more information, see "Variables."

I interpret that to mean "the workflows executed against a PR are defined on the branch being merged in." (As opposed to, say, the default branch, or the branch being targeted by the PR.) And this is the behavior @weresch and I saw when we were working on his fork.

But it's not just the new CVE check that failed to run — no checks were run at all. Earlier pull requests into v8, such as this one, #2973, from Friday do have checks.

Did we somehow break checks on v8 PRs altogether? One way we could test this is to trigger a rebuild of another PR targeting v8. Could somebody with commit access to this repo (@a-b?) maybe rebase one of those PRs, say, #2973, to see if the new CVE check — along with the other, preexisting ones — is run?