chore: unblock entire CI/CD pipeline - fix all critical blockers

- Fixed github.head_ref actionlint error by passing via environment variable
  instead of direct shell interpolation in ci-pipeline.yml
- Aligned E2E coverage artifact handling to shard artifacts and updated
  Codecov upload to use glob pattern for multi-shard merge
- Added workflow_run trigger to security-pr.yml for docker-build integration
  while retaining workflow_dispatch for manual runs
- Added workflow_run trigger to supply-chain-pr.yml for docker-build integration
  while retaining workflow_dispatch for manual runs
- All individual workflows now support both automatic (workflow_run) and manual
  (workflow_dispatch) triggering, maintaining design intent
- Audited remaining workflows; no additional blockers found
- All actionlint and pre-commit validations now passing
- Full pipeline trigger chain now functional

.github/workflows/security-pr.yml

@@ -10,6 +10,11 @@ on:
         description: 'PR number to scan (optional)'
         required: false
         type: string
+  workflow_run:
+    workflows:
+      - Docker Build, Publish & Test
+    types:
+      - completed
 
 concurrency:
   group: security-pr-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}