# Gitea CI Workflows

## security.yml

Runs on push/PR to `master`. Three jobs:

1. **dependency-audit** — `npm audit --audit-level=high` for budget and frontend
2. **secret-scanning** — checks for tracked .env/.db files and hardcoded secret patterns
3. **dockerfile-lint** — verifies all Dockerfiles have `USER` (non-root) and `HEALTHCHECK`

## Prerequisites

These workflows require a **Gitea Actions runner** to be configured.
Without a runner, the workflows are committed but will not execute.

To set up a runner:
1. Go to Gitea → Site Administration → Runners
2. Register a runner (Docker-based or shell-based)
3. The workflows will automatically execute on the next push

See: https://docs.gitea.com/usage/actions/overview