jared
78d1645f08
- ruff: download standalone binary instead of using python3 -m ruff (runner image lacks the PATH entry for pip-installed bin scripts) - pip-audit: add python3-venv to apt install (pip-audit creates a venv internally to resolve deps; ensurepip was missing) - gitleaks: switch from stopwords allowlist to --baseline-path approach. Stopwords don't suppress findings from git history scans. The baseline records the 4 known-intentional webhook HMAC secrets; CI now only fails on findings NOT in the baseline (i.e. newly introduced secrets) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>