From 8265f96f3b01e9f401026b445ea89e468d28f42a Mon Sep 17 00:00:00 2001
From: user <user@rpios.local>
Date: Thu, 5 Feb 2026 11:33:44 +0100
Subject: [PATCH] ci: Add Gitea workflow for lint and security checks

- cppcheck: C/C++ static analysis (warnings, style, performance, portability)
- flawfinder: Security-focused C/C++ analysis
- gitleaks: Secret scanning across repo history
- shellcheck: Shell script analysis

All jobs run on 'anvil' labeled runner.
---
 .gitea/workflows/lint.yml | 82 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 .gitea/workflows/lint.yml

diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
new file mode 100644
index 0000000..cccf358
--- /dev/null
+++ b/.gitea/workflows/lint.yml
@@ -0,0 +1,82 @@
+name: Lint & Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  cppcheck:
+    name: C/C++ Static Analysis
+    runs-on: anvil
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install cppcheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y cppcheck
+
+      - name: Run cppcheck
+        run: |
+          cppcheck --enable=warning,style,performance,portability \
+            --suppress=missingIncludeSystem \
+            --error-exitcode=1 \
+            --inline-suppr \
+            -I get-started/csi_recv_router/main \
+            get-started/csi_recv_router/main/*.c
+
+  flawfinder:
+    name: Security Flaw Analysis
+    runs-on: anvil
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install flawfinder
+        run: |
+          pip install --user flawfinder
+
+      - name: Run flawfinder
+        run: |
+          ~/.local/bin/flawfinder --minlevel=2 --error-level=4 \
+            get-started/csi_recv_router/main/
+
+  gitleaks:
+    name: Secret Scanning
+    runs-on: anvil
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install gitleaks
+        run: |
+          GITLEAKS_VERSION="8.18.4"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | sudo tar -xz -C /usr/local/bin gitleaks
+
+      - name: Run gitleaks
+        run: |
+          gitleaks detect --source . --verbose --redact
+
+  shellcheck:
+    name: Shell Script Analysis
+    runs-on: anvil
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install shellcheck
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y shellcheck
+
+      - name: Find and check shell scripts
+        run: |
+          SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true)
+          if [ -n "$SCRIPTS" ]; then
+            echo "Checking: $SCRIPTS"
+            echo "$SCRIPTS" | xargs shellcheck --severity=warning
+          else
+            echo "No shell scripts found, skipping"
+          fi