pryscraper/.forgejo
cryptorugmunch 465ff0bd55 ci: add gitleaks + bandit jobs; split single job into lint/typecheck/test/secrets/security
The previous CI had a single build job with mypy marked as
continue-on-error, and no secret scanning or security audit. The
pre-commit config has gitleaks + bandit but they were never enforced
in CI.

Changes:
- Split monolithic build job into focused jobs: lint, typecheck, test,
  secrets (gitleaks), security (bandit)
- Promote mypy to a real required job (not continue-on-error)
- Add gitleaks scan (v8.24.0) against the full git history
- Add bandit scan at high+medium severity (low severity is too noisy
  for an OSS project)
- Each job has its own container to keep failures isolated
2026-07-02 20:02:06 +02:00
..
ISSUE_TEMPLATE chore(license): re-license to dual MIT (core) + BSL 1.1 (stealth) 2026-07-02 19:59:18 +02:00
workflows ci: add gitleaks + bandit jobs; split single job into lint/typecheck/test/secrets/security 2026-07-02 20:02:06 +02:00