fix: run CI jobs in rootless podman containers

Use container: directive per job instead of nested podman run.
Each job specifies its execution image directly:
- test: python:3.13-alpine
- secrets: ghcr.io/gitleaks/gitleaks:latest
- build: quay.io/podman/stable (--privileged for nested builds)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yaml

@@ -7,37 +7,35 @@ on:
 jobs:
   test:
     runs-on: linux
+    container: python:3.13-alpine
     steps:
+      - run: apk add --no-cache git
       - run: |
           git clone --depth 1 \
             -c "http.extraHeader=Authorization: token ${{ github.token }}" \
             "${{ github.server_url }}/${{ github.repository }}.git" .
-      - run: |
+      - run: pip install --no-cache-dir -r requirements.txt ruff pytest
-          podman run --rm \
+      - run: ruff check src/ tests/
-            -v "$PWD:/app:ro" \
+      - run: PYTHONPATH=src pytest tests/ -v
-            -w /app \
-            python:3.13-alpine \
-            sh -c "pip install --no-cache-dir -r requirements.txt ruff pytest && \
-                   ruff check src/ tests/ && \
-                   PYTHONPATH=src pytest tests/ -v"
 
   secrets:
     runs-on: linux
+    container: ghcr.io/gitleaks/gitleaks:latest
     steps:
       - run: |
           git clone \
             -c "http.extraHeader=Authorization: token ${{ github.token }}" \
             "${{ github.server_url }}/${{ github.repository }}.git" .
-      - run: |
+      - run: gitleaks detect --source . -v
-          podman run --rm \
-            -v "$PWD:/scan:ro" \
-            ghcr.io/gitleaks/gitleaks:latest \
-            detect --source /scan -v
 
   build:
     needs: [test, secrets]
     runs-on: linux
+    container:
+      image: quay.io/podman/stable
+      options: --privileged
     steps:
+      - run: dnf install -y git
       - run: |
           git clone --depth 1 \
             -c "http.extraHeader=Authorization: token ${{ github.token }}" \