Dedicated security-only workflow using python:VERSION-slim.
Runs Bandit (or any security tool) without pytest or coverage.
Supports python_version, install_command, security_command,
and working_directory inputs with sensible defaults.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Notification job had no checkout step so git log always failed,
producing "Commit info unavailable". Now uses the existing
API_GITEA_TOKEN and gitea.sha context to fetch the commit message
from the Gitea API directly.
Also raises default coverage threshold in python-checks to 80%.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
