fix: harden supply chain workflow vulnerability reporting

Forced workflow failure if scan results are missing (prevents false negatives)
Fixed "Fail on critical" step to use calculated counts instead of missing action outputs
Added debug logging and file verification for Grype scans
Refactored shell scripts to prevent injection vulnerabilities

trivy-report.json

@@ -0,0 +1,10 @@
+{
+  "SchemaVersion": 2,
+  "Trivy": {
+    "Version": "0.69.1"
+  },
+  "ReportID": "019c31f7-70d6-7974-912c-81d08eba4356",
+  "CreatedAt": "2026-02-06T08:00:25.814622916Z",
+  "ArtifactName": ".github/workflows/supply-chain-pr.yml",
+  "ArtifactType": "filesystem"
+}