The previous CI had a single build job with mypy marked as
continue-on-error, and no secret scanning or security audit. The
pre-commit config has gitleaks + bandit but they were never enforced
in CI.
Changes:
- Split monolithic build job into focused jobs: lint, typecheck, test,
secrets (gitleaks), security (bandit)
- Promote mypy to a real required job (not continue-on-error)
- Add gitleaks scan (v8.24.0) against the full git history
- Add bandit scan at high+medium severity (low severity is too noisy
for an OSS project)
- Each job has its own container to keep failures isolated
Squashed from chore/license-relicense. Full message preserved in the
original branch commit bb77eb5. See ADR-0002 for the decision rationale.
Refs: ADR-0002, commit bb77eb5
Python CI: uv setup, ruff lint+format, mypy (warn), pytest (non-integration).
Runs on docker-x64 runner on Talos.
55 tests exist, now they will run in CI.