STAC-25082: add skip-files input to scan-image action

[viliakov]

Summary

Add an optional skip-files input to the scan-image composite action so
callers can exclude in-image paths from vulnerability scanning when the
artefact is an upstream binary they ship but don't audit per-CVE.

• Newline-separated list of absolute paths.
• Threaded into Trivy as --skip-files <path> and Grype as --exclude <path> for the vulnerability scans only.
• The Trivy secrets scan is deliberately untouched — secret coverage stays comprehensive across every file, regardless of the skip list.

Why

Mirrors the precedent in StackVista/stackstate-ci-images
.github/workflows/ci.yml, which already uses trivy --skip-files for the
terraform binary in stackstate-devops and gcc-7 in python-cli-builder.

The immediate consumer is o11y-tooling: its image bundles upstream
getsops/sops v3.13.1, which contributes ~22 CVEs in stdlib,
golang.org/x/crypto, and golang.org/x/net. They're not reachable from
o11y-tooling's own code, fixes depend on getsops cutting a new release, and
holding 22 per-CVE exception YAMLs is the wrong shape — the upstream binary
should simply be out of scope for our gate. See STAC-25082.

Test plan

• Existing Action unit tests (local-clean, known-vuln, × amd64/arm64) still pass — no skip-files used, behaviour unchanged.
• Zizmor (Workflow Security Audit) passes — runs locally clean.
• Once merged, the o11y-tooling STAC-25082 PR bumps the action SHA and exercises skip-files: /usr/bin/sops against the published consumer image.