- ruff: download standalone binary instead of using python3 -m ruff
(runner image lacks the PATH entry for pip-installed bin scripts)
- pip-audit: add python3-venv to apt install (pip-audit creates a venv
internally to resolve deps; ensurepip was missing)
- gitleaks: switch from stopwords allowlist to --baseline-path approach.
Stopwords don't suppress findings from git history scans. The baseline
records the 4 known-intentional webhook HMAC secrets; CI now only
fails on findings NOT in the baseline (i.e. newly introduced secrets)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
