fix(python-security-checks): use custom runner image instead of python slim

python:3.14-slim has no Node.js so actions/checkout@v4 fails with 'node: executable file not found in PATH'. Switch to the same gitea_runner_python314 custom image used by python-checks.yml which has both Python 3.14 and Node.js. Drop the python_version input as it no longer drives the container selection. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat: add python-security-checks reusable workflow
2026-05-30 14:43:38 +02:00 · 2026-05-28 20:43:00 +02:00
1 changed files with 38 additions and 0 deletions
--- a/.gitea/workflows/python-security-checks.yml
+++ b/.gitea/workflows/python-security-checks.yml
@@ -0,0 +1,38 @@
+name: Reusable Python Security Checks
+
+on:
+  workflow_call:
+    inputs:
+      install_command:
+        type: string
+        default: 'python -m pip install "bandit[toml]"'
+      security_command:
+        type: string
+        default: "python -m bandit -r app -c pyproject.toml"
+      working_directory:
+        type: string
+        default: "."
+    secrets:
+      REGISTRY_USERNAME: { required: true }
+      REGISTRY_PASSWORD: { required: true }
+
+jobs:
+  security:
+    runs-on: docker
+    container:
+      image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
+      credentials:
+        username: ${{ secrets.REGISTRY_USERNAME }}
+        password: ${{ secrets.REGISTRY_PASSWORD }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install security tools
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.install_command }}
+
+      - name: Run security scan
+        working-directory: ${{ inputs.working_directory }}
+        run: ${{ inputs.security_command }}