Fix detached pipelines

Currently check cves job runs as a detached pipeline on MRs plus the normal per-branch full CI run.

I think this is because that job has a rules: section, unlike any other job: https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/blob/master/stages/check-cves/base.yaml#L3-7

Either remove those rules: or add a global rule to skip it on detached pipelines

https://docs.gitlab.com/ee/ci/merge_request_pipelines/#use-rules-to-run-pipelines-for-merge-requests

A top level workflow rules might fix this:

workflow:
  rules:
    - if: $CI_COMMIT_BRANCH

CI_COMMIT_BRANCH is documented as:

The commit branch name. Present in branch pipelines, including pipelines for the default branch. Not present in merge request pipelines or tag pipelines.