ci(deploy): login and pull images before Trivy scan

The scan-images job runs on a fresh runner that does not have the images
built by the build-and-push job. Login to the registry and pull the
images before scanning, otherwise Trivy cannot find them.

.gitea/workflows/deploy.yml

@@ -70,6 +70,13 @@ jobs:
     needs: build-and-push
     runs-on: ubuntu-latest
     steps:
+      - name: Login to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.codeanddice.ru
+          username: toutsu
+          password: ${{ secrets.GIT_TOKEN }}
+
       - name: Install Trivy
         run: |
           # Install Trivy from the official Docker image instead of the
@@ -78,7 +85,7 @@ jobs:
           #      GitHub releases API; when a release is unpublished or
           #      yanked, the script fails with
           #      `unable to find '<tag>' - use 'latest' or see ...`
-          #      even when the release once existed. We hit this with
+          #      when the release once existed. We hit this with
           #      v0.71.0.
           #   2. Docker Hub tags are content-addressed and rarely
           #      removed, so a pinned image tag is much more stable.
@@ -94,6 +101,12 @@ jobs:
           chmod +x /usr/local/bin/trivy
           trivy --version
 
+      - name: Pull images for scan
+        run: |
+          docker pull git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }}
+          docker pull git.codeanddice.ru/toutsu/gmrelay-discord-bot:${{ env.VERSION }}
+          docker pull git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
+
       - name: Scan Bot image
         run: |
           trivy image \