fix(daily-scan): scan published artifacts instead of repo source

[thpierce]

Problem

DependencyCheck (DC) scans -s "." which includes DC's own bundled jars in ./dependency-check/lib/, producing false positive CVEs (commons-beanutils, h2, logback, gson, httpclient5, etc.).

Additionally, scanning source code means if a vulnerability exists in the published artifact but has already been fixed on main, the scan gives a false negative — customers are still exposed.

Fix

Instead of scanning the repo source tree, download/install the published artifact from its package registry into a dedicated scan-target/ directory, then scan only that.

This pattern is already proven by ADOT Java and ADOT Python repos.

Changes

• Replace the pre-scan build/install step with one that fetches the published artifact into scan-target/
• Change the DC scan target from -s "." to -s "scan-target/"
• All other steps (checkout, DC download/GPG/unzip, Trivy, metrics) are unchanged
• All DC flags (--failOnCVSS 0, --enableExperimental, --nvdApiKey, etc.) are unchanged

Testing

Tested locally with DC v12.1.0 against NVD database. Verified:

• All reported dependencies come from the published artifact
• Zero DC tool jars in the report (no false positives)
• Dependency count matches expected published artifact contents