fetch tags so that goreleaser generates the right binary version

this fixes an issue with trivy where it flags SpiceDB as
vulnerable, possibly as of aquasecurity/trivy#6564
include in version 0.51.0. It's flagged because it parses it as version
0.0.1-next

.github/workflows/security.yaml

@@ -42,6 +42,8 @@ jobs:
     runs-on: "buildjet-2vcpu-ubuntu-2204"
     steps:
       - uses: "actions/checkout@v4"
+        with:
+          fetch-tags: "true"
       - uses: "authzed/actions/setup-go@main"
       - uses: "docker/login-action@v3"
         with: