fix: run gitleaks via podman on host instead of container directive

The gitleaks image lacks a shell compatible with the runner's
script injection. Use podman run with volume mount on the host
instead, matching the proven s5p pattern.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -42,14 +42,16 @@ jobs:
 
   secrets:
     runs-on: linux
-    container:
-      image: ghcr.io/gitleaks/gitleaks:latest
-      options: --entrypoint ""
     steps:
-      - name: Checkout
-        run: git clone --branch "${GITHUB_REF_NAME}" "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Scan for secrets
-        run: gitleaks detect --source . -v
+        run: |
+          podman run --rm \
+            -v "$PWD:/scan:ro" \
+            ghcr.io/gitleaks/gitleaks:latest \
+            detect --source /scan -v
 
   build:
     runs-on: linux