fix(python-security-checks): use custom runner image instead of python slim

python:3.14-slim has no Node.js so actions/checkout@v4 fails with
'node: executable file not found in PATH'. Switch to the same
gitea_runner_python314 custom image used by python-checks.yml which
has both Python 3.14 and Node.js. Drop the python_version input as it
no longer drives the container selection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/node-checks.yml

@@ -0,0 +1,42 @@
+name: Reusable Node Checks
+
+on:
+  workflow_call:
+    inputs:
+      node_version:
+        type: string
+        default: "22"
+      install_command:
+        type: string
+        default: "npm ci"
+      typecheck_command:
+        type: string
+        default: "npm run typecheck"
+      test_command:
+        type: string
+        default: "npm test"
+      build_command:
+        type: string
+        default: "npm run build"
+
+jobs:
+  check:
+    runs-on: docker
+    container:
+      image: node:${{ inputs.node_version }}-alpine
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: ${{ inputs.install_command }}
+
+      - name: Typecheck
+        run: ${{ inputs.typecheck_command }}
+
+      - name: Run tests
+        run: ${{ inputs.test_command }}
+
+      - name: Build
+        run: ${{ inputs.build_command }}

.gitea/workflows/notifications.yml

@@ -9,35 +9,156 @@ on:
       job_name:
         required: true
         type: string
+      notify_on_release:
+        required: false
+        type: boolean
+        default: true
     secrets:
       NTFY_TOPIC: { required: true }
       NTFY_TOKEN: { required: true }
       NTFY_SERVER: { required: true }
+      API_GITEA_TOKEN: { required: true }
 
 jobs:
   notify:
     runs-on: docker
     steps:
+      - name: Detect previous workflow state
+        id: previous
+        shell: bash
+        env:
+          API_GITEA_TOKEN: ${{ secrets.API_GITEA_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          python3 <<'PY'
+          import json
+          import os
+          import urllib.request
+
+          server = "${{ gitea.server_url }}"
+          repo = "${{ gitea.repository }}"
+          current_run_number = int("${{ gitea.run_number }}")
+          current_branch = "${{ gitea.ref_name }}"
+          current_event = "${{ gitea.event_name }}"
+          token = os.environ["API_GITEA_TOKEN"]
+
+          url = (
+              f"{server}/api/v1/repos/{repo}/actions/runs"
+              f"?page=1&limit=5"
+          )
+
+          print(f"Fetching workflow runs from: {url}")
+          print(f"Current run number: {current_run_number}")
+          print(f"Current branch: {current_branch}")
+          print(f"Current event: {current_event}")
+
+          req = urllib.request.Request(
+              url,
+              headers={
+                  "Authorization": f"token {token}",
+                  "Accept": "application/json",
+              },
+          )
+
+          with urllib.request.urlopen(req) as response:
+              data = json.loads(response.read().decode("utf-8"))
+
+          runs = data.get("workflow_runs", [])
+
+          print(f"Received {len(runs)} workflow runs")
+
+          previous = "unknown"
+
+          for run in runs:
+              run_number = run.get("run_number")
+              status = run.get("status")
+              conclusion = run.get("conclusion")
+              branch = run.get("head_branch")
+              event = run.get("event")
+
+              print(
+                  f"Inspecting run #{run_number}: "
+                  f"status={status}, "
+                  f"conclusion={conclusion}, "
+                  f"branch={branch}, "
+                  f"event={event}"
+              )
+
+              # aktuellen Run überspringen
+              if int(run_number) == current_run_number:
+                  print(" -> skipping current run")
+                  continue
+
+              # nur abgeschlossene Runs
+              if status != "completed":
+                  print(" -> skipping non-completed run")
+                  continue
+
+              # nur gleicher Branch
+              if branch != current_branch:
+                  print(" -> skipping different branch")
+                  continue
+
+              # nur gleiches Event
+              if event != current_event:
+                  print(" -> skipping different event")
+                  continue
+
+              previous = conclusion or "unknown"
+
+              print(f" -> selected previous conclusion: {previous}")
+              break
+
+          print(f"Previous conclusion final: {previous}")
+
+          with open(os.environ["GITEA_OUTPUT"], "a", encoding="utf-8") as f:
+              f.write(f"previous_conclusion={previous}\n")
+          PY
+
       - name: Send Notification
         shell: bash
         run: |
-          # Icon und Titel basierend auf Status
+          set -euo pipefail
-          if [ "${{ inputs.job_status }}" == "success" ]; then
+
-            ICON="✅"
+          CURRENT_STATUS="${{ inputs.job_status }}"
-            TITLE="Fixed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
+          PREVIOUS_STATUS="${{ steps.previous.outputs.previous_conclusion }}"
-          else
+          IS_RELEASE="false"
-            ICON="❌"
+
-            TITLE="Failed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
+          if [[ "${{ gitea.ref }}" == refs/tags/v* ]]; then
+            IS_RELEASE="true"
           fi
 
-          COMMIT_SUBJECT="$(git log -1 --pretty=%s || echo 'Commit info unavailable')"
+          echo "Current status: ${CURRENT_STATUS}"
+          echo "Previous status: ${PREVIOUS_STATUS}"
+          echo "Is release: ${IS_RELEASE}"
+
+          if [[ "$IS_RELEASE" == "true" && "$CURRENT_STATUS" == "success" ]]; then
+            ICON="🚀"
+            TITLE="New release available: ${{ gitea.ref_name }} for ${{ gitea.repository }}"
+          elif [[ "$CURRENT_STATUS" == "failure" ]]; then
+            ICON="❌"
+            TITLE="Failed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
+          elif [[ "$CURRENT_STATUS" == "success" && "$PREVIOUS_STATUS" == "failure" ]]; then
+            ICON="✅"
+            TITLE="Healed: ${{ inputs.job_name }} for ${{ gitea.repository }}"
+          else
+            echo "No notification needed."
+            exit 0
+          fi
+
+          COMMIT_SUBJECT="$(curl -fsS \
+            -H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
+            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
+            | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
+            2>/dev/null || echo 'Commit info unavailable')"
           RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
 
           cat <<EOF >/tmp/ntfy-payload.json
           {
             "topic": "${{ secrets.NTFY_TOPIC }}",
             "title": "${ICON} ${TITLE}",
-            "message": "Ref: ${{ gitea.ref_name }}\nCommit: ${COMMIT_SUBJECT}\n\nRun URL: ${RUN_URL}",
+            "message": "Ref: ${{ gitea.ref_name }}\nStatus: ${CURRENT_STATUS}\nPrevious: ${PREVIOUS_STATUS}\nCommit: ${COMMIT_SUBJECT}\n\nRun URL: ${RUN_URL}",
             "click": "${RUN_URL}",
             "actions": [
               { "action": "view", "label": "Open Run", "url": "${RUN_URL}" }

.gitea/workflows/python-checks.yml

@@ -6,9 +6,21 @@ on:
       python_version:
         type: string
         default: "3.14"
+      source_path:
+        type: string
+        default: "app"
+      tests_path:
+        type: string
+        default: "tests"
       test_command:
         type: string
         default: "coverage run -m pytest"
+      coverage_fail_under:
+        type: string
+        default: "80"
+      run_security_scan:
+        type: boolean
+        default: true
 
 jobs:
   check:
@@ -26,30 +38,38 @@ jobs:
       - name: Install Tools & Deps
         run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install -e .[dev] || pip install -e .[test] || pip install -e .
+          pip install -e ".[dev]" || pip install -e ".[test]" || pip install -e .
           pip install ruff coverage pip-audit bandit
 
       - name: Linting
-        run: ruff check app tests
+        run: ruff check ${{ inputs.source_path }} ${{ inputs.tests_path }}
 
       - name: Tests
         run: |
           ${{ inputs.test_command }}
-          coverage report --fail-under=60
+          coverage report --fail-under=${{ inputs.coverage_fail_under }}
           coverage xml
           coverage html
 
       - name: Security Scan
+        if: ${{ inputs.run_security_scan }}
         run: |
           pip freeze | grep -v "git+" > req.txt
           pip-audit -r req.txt
-          bandit -r app/
+          bandit -r ${{ inputs.source_path }}
 
-      - name: Upload Coverage
+      - name: Upload Coverage HTML
         if: always()
         uses: actions/upload-artifact@v3
         with:
-          name: coverage-report
+          name: coverage-html
-          path: |
+          path: htmlcov/
-            htmlcov/
+          if-no-files-found: warn
-            coverage.xml
+
+      - name: Upload Coverage XML
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: coverage-xml
+          path: coverage.xml
+          if-no-files-found: warn

.gitea/workflows/python-security-checks.yml

@@ -0,0 +1,38 @@
+name: Reusable Python Security Checks
+
+on:
+  workflow_call:
+    inputs:
+      install_command:
+        type: string
+        default: 'python -m pip install "bandit[toml]"'
+      security_command:
+        type: string
+        default: "python -m bandit -r app -c pyproject.toml"
+      working_directory:
+        type: string
+        default: "."
+    secrets:
+      REGISTRY_USERNAME: { required: true }
+      REGISTRY_PASSWORD: { required: true }
+
+jobs:
+  security:
+    runs-on: docker
+    container:
+      image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
+      credentials:
+        username: ${{ secrets.REGISTRY_USERNAME }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install security tools
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.install_command }}
+
+      - name: Run security scan
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.security_command }}