ci: fix Trivy scan tag extraction and update SARIF action to v4 (#17)

Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>

Author: wolf31o2

.github/workflows/publish.yml

@@ -47,7 +47,7 @@ jobs:
             type=ref,event=branch
       - name: Extract first tag
         run: |
-          FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
+          FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1 | rev | cut -d: -f1 | rev)
           echo "FIRST_TAG=$FIRST_TAG" >> $GITHUB_ENV
       - name: push
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
@@ -65,7 +65,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results-${{ env.FIRST_TAG }}.sarif'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@d3ced5c96c16c4332e2a61eb6f3649d6f1b20bb8 # v3.31.5
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         if: always()
         with:
           sarif_file: 'trivy-results-${{ env.FIRST_TAG }}.sarif'