Fix Python runner; add gitleaks secret scanning

- All Python jobs now install python3-pip via apt first (runner image
  has no pip by default)
- Added secret-scan job: gitleaks v8.21.2 scans full git history on
  every push/PR with --redact to avoid leaking found secrets in logs
- Added .gitleaks.toml allowlisting deploy/hooks-lxc*.json files
  (webhook HMAC secrets are intentional config, not leaks)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/lint.yml

@@ -37,8 +37,10 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Install ruff
-        run: python3 -m pip install ruff
+      - name: Install pip and ruff
+        run: |
+          apt-get update -qq && apt-get install -y -qq python3-pip
+          python3 -m pip install ruff
 
       - name: Check syntax errors
         run: python3 -m ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github
@@ -52,8 +54,27 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Install pip-audit
-        run: python3 -m pip install pip-audit
+      - name: Install pip and pip-audit
+        run: |
+          apt-get update -qq && apt-get install -y -qq python3-pip
+          python3 -m pip install pip-audit
 
       - name: Audit matrixbot dependencies
         run: python3 -m pip_audit -r matrixbot/requirements.txt
+
+  secret-scan:
+    name: Secret scan (gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install gitleaks
+        run: |
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
+            | tar -xz gitleaks
+          mv gitleaks /usr/local/bin/gitleaks
+
+      - name: Scan for secrets
+        run: gitleaks detect --source . --config .gitleaks.toml --redact --exit-code 1