fix(ci): move ACT guards to step level; add guards to security.yml

env context is invalid in job-level if conditions — moved all ACT
guards down to individual steps. Also guards docker login + scout
in security.yml so act can run the build-only part of that workflow.

.github/workflows/security.yml

@@ -25,11 +25,13 @@ jobs:
           tags: trek:scan
 
       - uses: docker/login-action@v3
+        if: ${{ !env.ACT }}
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - uses: docker/scout-action@v1
+        if: ${{ !env.ACT }}
         with:
           command: cves
           image: trek:scan