feat ✨: Add PR check workflow for Gitleaks and lint tests

This commit introduces a new pull request (PR) check workflow that includes Gitleaks for security scanning and lint tests to ensure code quality.

.gitea/workflows/pr-check.yaml

@@ -0,0 +1,164 @@
+---
+# https://github.com/kekxv/pr-check
+name: PR check
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  leak_test:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          github-server-url: ${{ vars.GIT_SERVER_URL }}
+
+      - name: Install Gitleaks
+        run: |
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz \
+          | tar -xz
+          sudo mv gitleaks /usr/local/bin/
+
+      - name: Run Gitleaks
+        run: |
+          gitleaks dir . \
+            --redact=10 \
+            --verbose \
+            --exit-code 1
+
+  lint_test:
+    name: lint tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          github-server-url: ${{ vars.GIT_SERVER_URL }}
+
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Run markdownlint
+        run: npx markdownlint-cli2 "**/*.md" "#node_modules"
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.14"
+
+      - name: Install ansible-lint and yamllint
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible ansible-lint yamllint
+
+      - name: Run yamllint
+        run: |
+          yamllint .
+
+      - name: Run ansible-lint
+        run: |
+          ansible-lint
+
+handle_failures:
+  runs-on: ubuntu-latest
+  needs: [leak_test, lint_test]
+  if: needs.leak_test.result != 'success' || needs.lint_test.result != 'success'
+
+  steps:
+    - name: Comment, label, and close PR
+      run: |
+        API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
+        PR="${{ github.event.pull_request.number }}"
+        TOKEN="${{ secrets.GITEA_TOKEN }}"
+
+        COMMENT_BODY="❌ CI checks failed.\n\nLeak test: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
+
+        # Find existing comment
+        EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
+          "$API/issues/$PR/comments" \
+          | jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
+
+        # Update or create comment
+        if [ -n "$EXISTING_COMMENT_ID" ]; then
+          curl -s -X PATCH \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
+            "$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
+        else
+          curl -s -X POST \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
+            "$API/issues/$PR/comments"
+        fi
+
+        # Add label if missing
+        LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
+        if ! echo "$LABELS" | grep -q "^ci-failed$"; then
+          curl -s -X POST \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/json" \
+            -d '["ci-failed"]' \
+            "$API/issues/$PR/labels"
+        fi
+
+        # Close PR
+        curl -s -X PATCH \
+          -H "Authorization: token $TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{"state":"closed"}' \
+          "$API/pulls/$PR"
+
+handle_success:
+  runs-on: ubuntu-latest
+  needs: [leak_test, lint_test]
+  if: needs.leak_test.result == 'success' && needs.lint_test.result == 'success'
+
+  steps:
+    - name: Update comment, remove label, reopen PR
+      run: |
+        API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}"
+        PR="${{ github.event.pull_request.number }}"
+        TOKEN="${{ secrets.GITEA_TOKEN }}"
+
+        COMMENT_BODY="✅ All CI checks passed.\n\nLeak test: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}"
+
+        # Find existing comment
+        EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \
+          "$API/issues/$PR/comments" \
+          | jq -r '.[] | select(.body | test("<!--ci-failed-comment-->")) | .id')
+
+        # Update comment if exists
+        if [ -n "$EXISTING_COMMENT_ID" ]; then
+          curl -s -X PATCH \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"body\":\"<!--ci-failed-comment-->\n$COMMENT_BODY\"}" \
+            "$API/issues/$PR/comments/$EXISTING_COMMENT_ID"
+        fi
+
+        # Remove label if exists
+        LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name')
+        if echo "$LABELS" | grep -q "^ci-failed$"; then
+          curl -s -X DELETE \
+            -H "Authorization: token $TOKEN" \
+            "$API/issues/$PR/labels/ci-failed"
+        fi
+
+        # Reopen PR if closed
+        PR_STATE=$(curl -s -H "Authorization: token $TOKEN" "$API/pulls/$PR" | jq -r '.state')
+        if [ "$PR_STATE" = "closed" ]; then
+          curl -s -X PATCH \
+            -H "Authorization: token $TOKEN" \
+            -H "Content-Type: application/json" \
+            -d '{"state":"open"}' \
+            "$API/pulls/$PR"
+        fi