fix(ci): add ca-certificates and hardening for s390x fallback in Dockerfile.std

The s390x fallback stage uses debian:trixie-slim as a base but was
missing ca-certificates installation and CVE surface hardening that
the original Dockerfile.std included. This ensures the s390x image
remains functional and secure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: buger

ci/Dockerfile.std

@@ -14,6 +14,13 @@ FROM tykio/dhi-busybox:1.37-fips AS base-amd64
 FROM tykio/dhi-busybox:1.37-fips AS base-arm64
 # Fallback for s390x (no FIPS base available)
 FROM debian:trixie-slim AS base-s390x
+RUN apt-get update \
+    && apt-get dist-upgrade -y ca-certificates \
+    && (dpkg --purge --force-remove-essential curl ncurses-base || true) \
+    && (rm -fv /usr/bin/passwd /usr/sbin/adduser || true) \
+    && apt-get -y autoremove \
+    && apt-get clean \
+    && rm -rf /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/*
 
 FROM base-${TARGETARCH}
 ARG TARGETARCH