chore(ci): bump catalog to v2.2.0 + tighten container_scanning on tags
Catalog @v2.1.1 -> @v2.2.0; per-rule allow_failure on container_scanning so tag pipelines block on CVEs, MR/default-branch stay advisory.
Catalog @v2.1.1 -> @v2.2.0; per-rule allow_failure on container_scanning so tag pipelines block on CVEs, MR/default-branch stay advisory.