Update yq and actionlint to remove suppressed Go stdlib CVEs

[lex57ukr]

Goal

Remove the .trivyignore suppressions for CVE-2026-25679 and CVE-2026-27137 by updating yq and actionlint to versions built with Go >= 1.26.1.

Scope

• Watch for a yq release built with Go >= 1.26.1 (currently v4.52.4 on Go 1.26.0)
• Watch for an actionlint release built with Go >= 1.26.1 (currently v1.7.11 on Go 1.25.7)
• Run make resolve TOOLS=yq and/or make resolve TOOLS=actionlint to pin the new versions
• Remove the corresponding CVE entries from images/ci-tools/.trivyignore
• Verify with make scan

Outcome

The ci-tools image passes Trivy scans without suppressions for these two CVEs.

Notes

Suppressed in #95. The CVE monitor will continue to flag these until this follow-up is completed, but the suppressions keep CI green in the interim.

[lex57ukr]

actionlint still on Go 1.25.7, no new release yet