fix(ci): pin e2e goreleaser and exclude local build artifacts

[yuanchen8911]

Summary

Pin the Linux E2E GoReleaser install path so qualification does not drift with upstream releases, and exclude generated local build artifacts from make scan.

Motivation / Context

make scan runs grype dir:., and Grype scans files on disk rather than honoring .gitignore. That means stale locally built binaries can trigger false-positive stdlib findings during local scans.

Separately, the Linux E2E path still installed GoReleaser via an unpinned @latest path through tools/setup-tools, which can break qualification when a new GoReleaser release raises its Go requirement before CI has moved.

Fixes: N/A
Related: #579

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Refactoring (no functional changes)
• Build/CI/tooling

Component(s) Affected

• CLI (cmd/aicr, pkg/cli)
• API server (cmd/aicrd, pkg/api, pkg/server)
• Recipe engine / data (pkg/recipe)
• Bundlers (pkg/bundler, pkg/component/*)
• Collectors / snapshotter (pkg/collector, pkg/snapshotter)
• Validator (pkg/validator)
• Core libraries (pkg/errors, pkg/k8s)
• Docs/examples (docs/, examples/)
• Other: local scan configuration and E2E tooling setup

Implementation Notes

• Adds ./aicr, ./aicrd, ./bin/**, and ./dist/** to .grype.yaml exclusions so local scans ignore generated binaries and release output.
• Updates docs/contributor/cli.md profiling examples to build bin/aicr instead of ./aicr.
• Bumps .settings.yaml to Go 1.26.2 and GoReleaser v2.15.3 so the qualification path uses compatible pinned versions.
• Pins Linux tools/setup-tools to go install github.com/goreleaser/goreleaser/v2@${GORELEASER_VERSION}.
• Threads goreleaser_version into the cli-e2e action from qualification.yaml so attested CLI builds do not float on @latest.

Testing

make scan
git diff --check origin/main...HEAD

• make scan passed locally with stale ./aicr and ./bin/aicr binaries present.
• git diff --check origin/main...HEAD passed.
• I did not rerun full make qualify in this sandbox; CI is the right signal for the E2E path.

Risk Assessment

• Low — Isolated change, well-tested, easy to revert
• Medium — Touches multiple components or has broader impact
• High — Breaking change, affects critical paths, or complex rollout

Rollout notes: This keeps PR #580 limited to the local scan fix plus the minimal qualification-path pin needed to stop the known Linux E2E drift.

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality
• I updated docs if user-facing behavior changed
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S) — GPG signing info

[github-actions]

🌿 Preview your docs: https://nvidia-preview-codex-grype-scan-fix.docs.buildwithfern.com/aicr