platform/.gitea/README.md

# Gitea CI Workflows

## security.yml

Runs on push/PR to `master`. Three jobs:

1. **dependency-audit** — `npm audit --audit-level=high` for budget and frontend
2. **secret-scanning** — checks for tracked .env/.db files and hardcoded secret patterns
3. **dockerfile-lint** — verifies all Dockerfiles have `USER` (non-root) and `HEALTHCHECK`

## Runner Setup

The runner is configured in the Gitea docker-compose at `/media/yusiboyz/Media/Scripts/gitea/docker-compose.yml`.

**What was done:**
1. Added `[actions] ENABLED = true` to Gitea's `app.ini`
2. Added `runner` service (gitea/act_runner) to Gitea's docker-compose
3. Generated runner token via `docker exec -u git gitea gitea actions generate-runner-token`
4. Token stored in `/media/yusiboyz/Media/Scripts/gitea/.env` as `RUNNER_TOKEN`
5. Runner registered as `platform-runner` with labels: ubuntu-latest, ubuntu-24.04, ubuntu-22.04

**To regenerate token (if needed):**
```bash
cd /media/yusiboyz/Media/Scripts/gitea
docker exec -u git gitea gitea actions generate-runner-token
# Update .env with new RUNNER_TOKEN value
docker compose up -d runner
```

**To check runner status:**
```bash
docker logs gitea-runner
```