Issue `#8` is the remaining CI/security automation task.

Current state:
- Repo-side workflow already exists at `.gitea/workflows/security.yml`
- Runner setup notes already exist at `.gitea/README.md`
- The missing piece is operational: a Gitea Actions runner is not configured, so the workflow does not execute

Your job:
1. Re-verify the current repo state before changing anything.
2. Review:
   - `.gitea/workflows/security.yml`
   - `.gitea/README.md`
3. Add the minimal files, scripts, or compose service needed to make Gitea runner setup easy for this environment.
4. Document exact setup steps for running a Gitea Actions runner against this Gitea instance.
5. If live access is available, verify the runner can register and that the workflow actually executes.
6. Do not mark issue `#8` complete unless workflow execution is confirmed. Otherwise keep it `Partial` or `Blocked`.

What `#8` means:
- Automatically run dependency audits
- Automatically scan for tracked secrets/runtime DB files
- Automatically check Dockerfiles for non-root `USER` and `HEALTHCHECK`

Important constraints:
- Do not overstate completion
- Separate repo-side completion from operational completion
- If a runner token or Gitea admin action is required, document that as a manual step
- Do not change admin credentials during this pass

Expected output:
- `Completed:`
- `Partial:`
- `Blocked:`
- `Manual ops actions:`