[CI] Do not run Trivy scan by default

To get around recent TOOMANYREQUESTS from Trivy during DB download,
this commit does the following:

- removes the scan from ci-pr.yml altogether
- makes scan optional (default false) for ci.yml
- schedules scan to run every 3 days at 14:00 UTC

.github/workflows/ci-pr.yml

@@ -105,14 +105,9 @@ jobs:
               -PspringBootVersion="$BOOT_VERSION" \
               -PsampleTests \
               :runAllSampleTests
-  scan:
-    needs: [prerequisites]
-    if: needs.prerequisites.outputs.runjobs
-    uses: ./.github/workflows/trivy-scan.yml
-
   done:
     runs-on: ubuntu-latest
-    needs: [ build_and_verify, check_samples, scan ]
+    needs: [ build_and_verify, check_samples ]
     steps:
       - name: 'Done'
         shell: bash

.github/workflows/ci.yml

@@ -11,6 +11,12 @@ on:
   schedule:
     - cron: '0 11 * * *' # Once per day at 11am UTC
   workflow_dispatch:
+    inputs:
+      run-trivy-scan:
+        description: 'Whether to run Trivy scan'
+        default: false
+        required: false
+        type: boolean
 
 env:
   GCHAT_WEBHOOK_URL: ${{ secrets.SPRING_RELEASE_GCHAT_WEBHOOK_URL }}
@@ -93,7 +99,7 @@ jobs:
               :runAllSampleTests
   scan:
     needs: [prerequisites]
-    if: needs.prerequisites.outputs.runjobs
+    if: ${{ needs.prerequisites.outputs.runjobs && inputs.run-trivy-scan }}
     uses: ./.github/workflows/trivy-scan.yml
   deploy_artifacts:
     name: Deploy Artifacts

.github/workflows/trivy-scan.yml

@@ -25,6 +25,8 @@ on:
         default: false
         required: false
         type: boolean
+  schedule:
+    - cron: '0 14 * * */3' # Once every 3 day at 2pm UTC
 
 jobs:
   run_trivy_scan: