From 192ea717a71229dcf2b7c8b0be8e5bc57105bfc7 Mon Sep 17 00:00:00 2001
From: user <user@rpios.local>
Date: Sun, 22 Feb 2026 05:51:53 +0100
Subject: [PATCH] feat: split CI into gitleaks, lint, and test jobs

- Add gitleaks secret scanning (full history)
- Separate lint (ruff, Python 3.13 only) from test matrix
- Test job gates on lint; gitleaks runs in parallel

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 8383ffb..2adec37 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -4,9 +4,31 @@ on:
     branches: [master]
   pull_request:
     branches: [master]
+
 jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - run: pip install -e . && pip install ruff
+      - run: ruff check src/ tests/ plugins/
+
   test:
     runs-on: ubuntu-latest
+    needs: [lint]
     strategy:
       matrix:
         python-version: ["3.11", "3.12", "3.13"]
@@ -15,6 +37,5 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - run: pip install -e . && pip install pytest ruff
-      - run: ruff check src/ tests/ plugins/
+      - run: pip install -e . && pip install pytest
       - run: pytest -v