feat: add configuration templates

- docker-compose-gitea.yml.tpl: Gitea + SQLite container - app.ini.tpl: Gitea config (INSTALL_LOCK, Actions enabled, no registration) - docker-compose-runner.yml.tpl: act_runner Docker container (Linux) - runner-config.yaml.tpl: act_runner config (capacity=1, timeout=3h) - com.gitea.runner.plist.tpl: macOS launchd service for native runner - nginx-gitea.conf.tpl: Nginx reverse proxy with SSL/WebSocket support - workflows/security-scan.yml.tpl: Semgrep + Trivy + Gitleaks workflow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 15:03:54 -06:00
parent f32e200c64
commit 6b0e4de464
7 changed files with 250 additions and 0 deletions
--- a/templates/workflows/security-scan.yml.tpl
+++ b/templates/workflows/security-scan.yml.tpl
@@ -0,0 +1,43 @@
+# Security scanning workflow — rendered from security-scan.yml.tpl
+# Runs Semgrep, Trivy, and Gitleaks on every pull request.
+# Each job reports as a status check for branch protection.
+
+name: Security Scan
+
+on:
+  pull_request:
+    branches:
+      - ${PROTECTED_BRANCH}
+
+jobs:
+  semgrep:
+    name: Semgrep SAST
+    runs-on: linux
+    container:
+      image: returntocorp/semgrep:${SEMGREP_VERSION}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Semgrep
+        run: semgrep scan --config auto --error .
+
+  trivy:
+    name: Trivy Vulnerability Scan
+    runs-on: linux
+    container:
+      image: aquasec/trivy:${TRIVY_VERSION}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy filesystem scan
+        run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
+
+  gitleaks:
+    name: Gitleaks Secret Detection
+    runs-on: linux
+    container:
+      image: zricethezav/gitleaks:${GITLEAKS_VERSION}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run Gitleaks
+        run: gitleaks detect --source . --exit-code 1