From 2be1150eecc74e421246123355189b6f4d714f31 Mon Sep 17 00:00:00 2001
From: dresber <dresber@users.noreply.github.com>
Date: Thu, 28 May 2026 20:43:00 +0200
Subject: [PATCH] feat: add python-security-checks reusable workflow

Dedicated security-only workflow using python:VERSION-slim.
Runs Bandit (or any security tool) without pytest or coverage.
Supports python_version, install_command, security_command,
and working_directory inputs with sensible defaults.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/python-security-checks.yml | 35 +++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .gitea/workflows/python-security-checks.yml

diff --git a/.gitea/workflows/python-security-checks.yml b/.gitea/workflows/python-security-checks.yml
new file mode 100644
index 0000000..de5243a
--- /dev/null
+++ b/.gitea/workflows/python-security-checks.yml
@@ -0,0 +1,35 @@
+name: Reusable Python Security Checks
+
+on:
+  workflow_call:
+    inputs:
+      python_version:
+        type: string
+        default: "3.14"
+      install_command:
+        type: string
+        default: 'python -m pip install "bandit[toml]"'
+      security_command:
+        type: string
+        default: "python -m bandit -r app -c pyproject.toml"
+      working_directory:
+        type: string
+        default: "."
+
+jobs:
+  security:
+    runs-on: docker
+    container:
+      image: python:${{ inputs.python_version }}-slim
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install security tools
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.install_command }}
+
+      - name: Run security scan
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.security_command }}