ci: enhance security scanning and add SBOM generation

- Add dedicated security-tests job for security-focused test files
- Add SBOM generation job using CycloneDX for supply chain transparency
- Add Bandit scan for fpaste CLI
- Add hardcoded secrets detection step
- Fix SHA1 fingerprint warnings with usedforsecurity=False
- Split unit tests from security tests for better organization
- Add memory leak detection job

fpaste

@@ -1219,7 +1219,9 @@ def cmd_pki_download(args: argparse.Namespace, config: dict[str, Any]) -> None:
 
         if HAS_CRYPTO:
             cert = x509.load_pem_x509_certificate(body)
-            fp = hashlib.sha1(cert.public_bytes(serialization.Encoding.DER)).hexdigest()  # noqa: S324
+            fp = hashlib.sha1(
+                cert.public_bytes(serialization.Encoding.DER), usedforsecurity=False
+            ).hexdigest()
             print(f"fingerprint: {fp}", file=sys.stderr)
 
         if args.configure:
@@ -1405,7 +1407,7 @@ def cmd_cert(args: argparse.Namespace, config: dict[str, Any]) -> None:
     certificate = cert_builder.sign(private_key, hashes.SHA256())
 
     cert_der = certificate.public_bytes(serialization.Encoding.DER)
-    fingerprint = hashlib.sha1(cert_der).hexdigest()  # noqa: S324
+    fingerprint = hashlib.sha1(cert_der, usedforsecurity=False).hexdigest()
 
     key_encryption = (
         serialization.BestAvailableEncryption(args.password_key.encode())