fix(python-security-checks): use custom runner image instead of python slim

python:3.14-slim has no Node.js so actions/checkout@v4 fails with
'node: executable file not found in PATH'. Switch to the same
gitea_runner_python314 custom image used by python-checks.yml which
has both Python 3.14 and Node.js. Drop the python_version input as it
no longer drives the container selection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/notifications.yml

@@ -147,7 +147,11 @@ jobs:
             exit 0
           fi
 
-          COMMIT_SUBJECT="$(git log -1 --pretty=%s 2>/dev/null || echo 'Commit info unavailable')"
+          COMMIT_SUBJECT="$(curl -fsS \
+            -H "Authorization: Bearer ${{ secrets.API_GITEA_TOKEN }}" \
+            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/git/commits/${{ gitea.sha }}" \
+            | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('RepoCommit',{}).get('message','').split('\n')[0])" \
+            2>/dev/null || echo 'Commit info unavailable')"
           RUN_URL="${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_number }}"
 
           cat <<EOF >/tmp/ntfy-payload.json

.gitea/workflows/python-checks.yml

@@ -6,9 +6,21 @@ on:
       python_version:
         type: string
         default: "3.14"
+      source_path:
+        type: string
+        default: "app"
+      tests_path:
+        type: string
+        default: "tests"
       test_command:
         type: string
         default: "coverage run -m pytest"
+      coverage_fail_under:
+        type: string
+        default: "80"
+      run_security_scan:
+        type: boolean
+        default: true
 
 jobs:
   check:
@@ -26,24 +38,25 @@ jobs:
       - name: Install Tools & Deps
         run: |
           python -m pip install --upgrade pip setuptools wheel
-          pip install -e .[dev] || pip install -e .[test] || pip install -e .
+          pip install -e ".[dev]" || pip install -e ".[test]" || pip install -e .
           pip install ruff coverage pip-audit bandit
 
       - name: Linting
-        run: ruff check app tests
+        run: ruff check ${{ inputs.source_path }} ${{ inputs.tests_path }}
 
       - name: Tests
         run: |
           ${{ inputs.test_command }}
-          coverage report --fail-under=60
+          coverage report --fail-under=${{ inputs.coverage_fail_under }}
           coverage xml
           coverage html
 
       - name: Security Scan
+        if: ${{ inputs.run_security_scan }}
         run: |
           pip freeze | grep -v "git+" > req.txt
           pip-audit -r req.txt
-          bandit -r app/
+          bandit -r ${{ inputs.source_path }}
 
       - name: Upload Coverage HTML
         if: always()

.gitea/workflows/python-security-checks.yml

@@ -0,0 +1,38 @@
+name: Reusable Python Security Checks
+
+on:
+  workflow_call:
+    inputs:
+      install_command:
+        type: string
+        default: 'python -m pip install "bandit[toml]"'
+      security_command:
+        type: string
+        default: "python -m bandit -r app -c pyproject.toml"
+      working_directory:
+        type: string
+        default: "."
+    secrets:
+      REGISTRY_USERNAME: { required: true }
+      REGISTRY_PASSWORD: { required: true }
+
+jobs:
+  security:
+    runs-on: docker
+    container:
+      image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
+      credentials:
+        username: ${{ secrets.REGISTRY_USERNAME }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install security tools
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.install_command }}
+
+      - name: Run security scan
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.security_command }}