The trivy-action does an internal actions/checkout against
github.com/aquasecurity/trivy, which fails on Gitea (act_runner
injects Gitea creds; clone returns exit 128). Switch to the same
inline-download pattern we use for gitleaks.
Refs: M0.2
The original ci.yaml used wagoid/commitlint-github-action and
gitleaks/gitleaks-action, both of which hit GitHub-specific API
endpoints that 404 on Gitea ("error trying to get list of pull
request's commits: not found").
Changes:
- commitlint: bash regex against Conventional Commits, scoped to the
PR commit range. Zero external deps.
- gitleaks: inline tarball download + binary run, exit-code 1 on
any finding.
- trivy: unchanged (works fine; uses local fs scan).
- Per-stack test/image/e2e jobs now gated on hashFiles(go.sum) /
hashFiles(package.json) / hashFiles(Dockerfile) so they skip
cleanly on empty repos and light up automatically when real code
lands (M4.1, M5.1, etc.).
Refs: M0.2
sharang