Rework CI/CD into 3 pipelines: ci, deploy, scheduled-update

Split build.yaml into separate workflows for clearer separation of concerns:
- ci.yaml: PR builds push to staging tag (:pr-N), runs Trivy scan
- deploy.yaml: on merge retags staging to :latest + :version, on direct push runs full pipeline
- scheduled-update.yaml: daily cron checks for new upstream releases

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/scheduled-update.yaml

@@ -1,4 +1,4 @@
-name: Check for new upstream release
+name: Scheduled Update
 
 on:
   schedule: