fix: fetch commit subject via Gitea API instead of git log

Notification job had no checkout step so git log always failed,
producing "Commit info unavailable". Now uses the existing
API_GITEA_TOKEN and gitea.sha context to fetch the commit message
from the Gitea API directly.

Also raises default coverage threshold in python-checks to 80%.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/node-checks.yml

@@ -0,0 +1,42 @@
+name: Reusable Node Checks
+
+on:
+  workflow_call:
+    inputs:
+      node_version:
+        type: string
+        default: "22"
+      install_command:
+        type: string
+        default: "npm ci"
+      typecheck_command:
+        type: string
+        default: "npm run typecheck"
+      test_command:
+        type: string
+        default: "npm test"
+      build_command:
+        type: string
+        default: "npm run build"
+
+jobs:
+  check:
+    runs-on: docker
+    container:
+      image: node:${{ inputs.node_version }}-alpine
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: ${{ inputs.install_command }}
+
+      - name: Typecheck
+        run: ${{ inputs.typecheck_command }}
+
+      - name: Run tests
+        run: ${{ inputs.test_command }}
+
+      - name: Build
+        run: ${{ inputs.build_command }}

.gitea/workflows/notifications.yml

@@ -17,7 +17,7 @@ on:
       NTFY_TOPIC: { required: true }
       NTFY_TOKEN: { required: true }
       NTFY_SERVER: { required: true }
-      GITEA_TOKEN: { required: true }
+      API_GITEA_TOKEN: { required: true }
 
 jobs:
   notify:
@@ -27,7 +27,7 @@ jobs:
         id: previous
         shell: bash
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          API_GITEA_TOKEN: ${{ secrets.API_GITEA_TOKEN }}
         run: |
           set -euo pipefail
 
@@ -41,7 +41,7 @@ jobs:
           current_run_number = int("${{ gitea.run_number }}")
           current_branch = "${{ gitea.ref_name }}"
           current_event = "${{ gitea.event_name }}"
-          token = os.environ["GITEA_TOKEN"]
+          token = os.environ["API_GITEA_TOKEN"]
 
           url = (
               f"{server}/api/v1/repos/{repo}/actions/runs"
@@ -147,7 +147,11 @@ jobs:
             exit 0
           fi
 
-          COMMIT_SUBJECT="$(git log -1 --pretty=%s 2>/dev/null || echo 'Commit info unavailable')"
+          COMMIT_SUBJECT="$(curl -fsS \
+            -H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
+            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
+            | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
+            2>/dev/null || echo 'Commit info unavailable')"
           RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
 
           cat <<EOF >/tmp/ntfy-payload.json

.gitea/workflows/python-checks.yml

@@ -6,9 +6,21 @@ on:
       python_version:
         type: string
         default: "3.14"
+      source_path:
+        type: string
+        default: "app"
+      tests_path:
+        type: string
+        default: "tests"
       test_command:
         type: string
         default: "coverage run -m pytest"
+      coverage_fail_under:
+        type: string
+        default: "80"
+      run_security_scan:
+        type: boolean
+        default: true
 
 jobs:
   check:
@@ -26,30 +38,38 @@ jobs:
       - name: Install Tools & Deps
         run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install -e .[dev] || pip install -e .[test] || pip install -e .
+          pip install -e ".[dev]" || pip install -e ".[test]" || pip install -e .
           pip install ruff coverage pip-audit bandit
 
       - name: Linting
-        run: ruff check app tests
+        run: ruff check ${{ inputs.source_path }} ${{ inputs.tests_path }}
 
       - name: Tests
         run: |
           ${{ inputs.test_command }}
-          coverage report --fail-under=60
+          coverage report --fail-under=${{ inputs.coverage_fail_under }}
           coverage xml
           coverage html
 
       - name: Security Scan
+        if: ${{ inputs.run_security_scan }}
         run: |
           pip freeze | grep -v "git+" > req.txt
           pip-audit -r req.txt
-          bandit -r app/
+          bandit -r ${{ inputs.source_path }}
 
-      - name: Upload Coverage
+      - name: Upload Coverage HTML
         if: always()
         uses: actions/upload-artifact@v3
         with:
-          name: coverage-report
-          path: |
-            htmlcov/
-            coverage.xml
+          name: coverage-html
+          path: htmlcov/
+          if-no-files-found: warn
+
+      - name: Upload Coverage XML
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: coverage-xml
+          path: coverage.xml
+          if-no-files-found: warn