chore(ci): add security scans and PR build check

[fyzanshaik-atlan]

Summary

Adds CI workflows for security scanning, build validation, and scheduled vulnerability monitoring for the MCP server.

Changes

• Trivy Security Scanning (.github/workflows/mcp-trivy.yml)

  • Uses the org's reusable workflow (atlanhq/.github/reusable-trivy-scan.yml)
  • Scans Docker image and uv.lock dependencies for HIGH/CRITICAL vulnerabilities
  • Uploads SARIF results to GitHub Security tab
  • Posts scan results as a PR comment
  • Fails on HIGH/CRITICAL fixable vulnerabilities

• Snyk Status Verification (.github/workflows/verify-snyk-status.yml)

  • Verifies Snyk security checks pass on PRs

• PR Build Check (.github/workflows/mcp-build.yml)

  • Validates Docker image builds successfully on PRs

• Scheduled Security Scan + Linear Ticket (.github/workflows/mcp-scheduled-scan.yml)

  • Runs every Monday at 09:00 UTC (also supports manual trigger)
  • Uses the org's reusable workflow (atlanhq/.github/reusable-trivy-scan-scheduled.yml)
  • Scans Docker image and uv.lock for HIGH/CRITICAL vulnerabilities
  • Automatically creates a Linear ticket with vulnerability details if issues are found
  • Requires LINEAR_API_KEY secret and LINEAR_TEAM_ID variable to be configured

Notes

• PR-triggered workflows only fire on changes to modelcontextprotocol/**
• Dependency upgrades were removed from this PR — already merged via Fix dependency vulns and Dockerfile python version mismatch #206

Setup required for scheduled scan

1. Add LINEAR_API_KEY as a repository or org secret
2. Add LINEAR_TEAM_ID as a repository variable (get UUID from Linear: Cmd+K → "Copy model UUID")