chore(ce-ui): refresh Alpine packages in run stage to clear OS CVEs

Ingarequested to merge
inga/ce-ui-apk-upgrade-cve into master

Trivy scans of postgresai/ce-ui:4.1.1 show 2 CRITICAL and 13 HIGH OS-level vulnerabilities (libcrypto3, libssl3 et al.) inherited from the nginx:1.29.7-alpine base. Adding 'apk update && apk upgrade --no-cache' in the run stage refreshes from the Alpine stable feed and brings the image to 0 CRITICAL / 0 HIGH at scan time.

This is the OS half of the CE-UI CVE work. The build stage uses node:24-alpine and is rebuilt from cache on every release; only the run stage was missing the refresh.

Merge request reports