Improve critical vulnerability scan summaries

[geropl]

Summary

Implements phase 4 of the critical CVE remediation plan by making scheduled critical vulnerability failures easier to triage from the GitHub Actions summary.

• Keep the existing vulnerability-stats.json critical package check and failure behavior unchanged.
• Add a compact per-finding summary table for critical matches, grouped by generated scan report / affected package.
• Include vulnerability ID, artifact name/version, artifact location, and fix state / fixed versions.
• Apply the same reporting logic to both build.yml and branch-build.yml so the workflows stay aligned.

The SBOM and vulnerability report artifact uploads already use always() on latest main, so this PR focuses on the remaining phase 4 reporting improvement.

Validation

• git diff --check
• Local shell/JQ fixture test covering fixed critical, unfixed critical, empty locations, and ignored non-critical findings.
• Commit pre-check hooks passed.

Notes: actionlint and ruby are not installed in this environment, so I could not run a full workflow syntax linter locally.