Address phase 1 critical CVE findings

[geropl]

Summary

Implements Phase 1 of the CLC-2255 critical CVE remediation plan:

• Bumps the proxy Caddy builder/runtime images from 2.11.2 to 2.11.4.
• Runs apk upgrade --no-cache in the image-builder-bob Dockerfile before installing runtime packages, refreshing Alpine packages such as OpenSSL.
• Makes SBOM and vulnerability report uploads run with always() after the scan step, while guarding on populated scan output paths.
• Documents that the existing BuildKit GO-2026-4858 suppression is workspace-global until artifact-scoped suppressions are available.

Issues

Relates to CLC-2255

Validation

• git diff --check
• leeway build components/proxy:docker --dont-test -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
• leeway sbom scan components/proxy:docker --output-dir /tmp/proxy-scan -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
  • components/proxy:docker: critical=0 high=5
• leeway build components/image-builder-bob:docker --dont-test -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
• leeway sbom scan components/image-builder-bob:docker --output-dir /tmp/bob-scan -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
  • components/image-builder-bob:docker: critical=0 high=98 ignored=2

Both Docker builds confirmed libcrypto3 and libssl3 were upgraded from 3.5.6-r0 to 3.5.7-r0.