ci: fix workflows and add pip-audit to dev dependencies

- Add concurrency control to prevent duplicate runs
- Add timeout-minutes for all jobs
- Add pip-audit to dev dependencies
- Remove docs deployment (Gitea doesn't support Pages)
- Fix security check (remove || true, proper exit codes)
- Simplify release.yml (build only on tags)
- Update CONTRIBUTING.md with local docs generation

.gitea/workflows/pr-check.yml

@@ -4,9 +4,14 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     
     steps:
       - name: Checkout code
@@ -14,7 +19,6 @@ jobs:
       
       - name: Use system Python
         run: |
-          echo "Python $(python3 --version)"
           echo "$HOME/.local/bin" >> $GITHUB_PATH
       
       - name: Install dependencies (with dev)
@@ -65,6 +69,7 @@ jobs:
 
   security:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     
     steps:
       - name: Checkout code
@@ -78,9 +83,16 @@ jobs:
         run: uv sync --group dev
       
       - name: Run safety check
-        run: uv run pip-audit || true
+        run: uv run pip-audit
       
       - name: Check for secrets
         run: |
-          ! grep -r "password\s*=" --include="*.py" src/ || true
+          if grep -r "password\s*=" --include="*.py" src/; then
-          ! grep -r "token\s*=" --include="*.py" src/ || true
+            echo "❌ Found hardcoded passwords in src/"
+            exit 1
+          fi
+          if grep -r "token\s*=" --include="*.py" src/; then
+            echo "❌ Found hardcoded tokens in src/"
+            exit 1
+          fi
+          echo "✅ No hardcoded secrets found"

.gitea/workflows/release.yml

@@ -6,10 +6,15 @@ on:
   tags:
     - 'v*'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   semantic-release:
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    timeout-minutes: 10
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
     outputs:
       new_release_version: ${{ steps.semantic.outputs['new_release_version'] }}
       new_release_published: ${{ steps.semantic.outputs['new_release_published'] }}
@@ -59,8 +64,8 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
-    needs: [semantic-release]
+    timeout-minutes: 15
-    if: github.ref == 'refs/tags/v*' || github.event_name == 'push'
+    if: github.ref == 'refs/tags/v*'
     
     outputs:
       version: ${{ steps.version.outputs.version }}
@@ -76,14 +81,10 @@ jobs:
           echo "Python $(python3 --version)"
           echo "$HOME/.local/bin" >> $GITHUB_PATH
       
-      - name: Get version from tag or pyproject
+      - name: Get version from tag
         id: version
         run: |
-          if [[ $GITHUB_REF == refs/tags/v* ]]; then
+          VERSION=${GITHUB_REF#refs/tags/v}
-            VERSION=${GITHUB_REF#refs/tags/v}
-          else
-            VERSION=$(uv run python -c "import tomllib; print(tomllib.load(open('pyproject.toml', 'rb'))['project']['version'])")
-          fi
           echo "version=$VERSION" >> $GITHUB_OUTPUT
       
       - name: Install dependencies (production only)
@@ -102,6 +103,7 @@ jobs:
   publish-gitea:
     needs: build
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: startsWith(github.ref, 'refs/tags/v')
     
     steps:
@@ -117,30 +119,3 @@ jobs:
             --username ${{ github.actor }} \
             --password ${{ secrets.GITEA_TOKEN }} \
             https://git.much-data.ru/api/packages/${{ github.repository_owner }}/pypi
-
-  docs:
-    needs: build
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      
-      - name: Use system Python
-        run: |
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
-      
-      - name: Install dependencies
-        run: uv sync --no-dev
-      
-      - name: Build documentation
-        run: uv run mkdocs build
-      
-      - name: Deploy to Gitea Pages
-        uses: peaceiris/actions-gh-pages@v4
-        with:
-          personal_token: ${{ secrets.GITEA_TOKEN }}
-          publish_dir: ./site
-          external_repository: ${{ github.repository_owner }}/${{ github.event.repository.name }}-docs
-          publish_branch: gh-pages

CONTRIBUTING.md

@@ -17,6 +17,23 @@ uv sync --group dev
 uv run pre-commit install
 ```
 
+## Documentation
+
+Generate documentation locally:
+
+```bash
+# Install docs dependencies
+uv sync --group dev
+
+# Build HTML docs
+uv run mkdocs build
+
+# Serve locally (optional)
+uv run mkdocs serve
+```
+
+Documentation is built automatically by CI and available in `site/` folder.
+
 ## Branch Naming
 
 - `feature/description` — новые фичи
@@ -76,20 +93,20 @@ docs(api): update client examples
 ## CI/CD
 
 **PR Checks:**
-- ✅ Тесты с coverage
+- ✅ Тесты с coverage (90% threshold)
-- ✅ Линтинг
+- ✅ Линтинг (ruff)
-- ✅ Форматирование
+- ✅ Форматирование (ruff format)
-- ✅ Безопасность (secrets scan)
+- ✅ Безопасность (pip-audit + secrets scan)
 - ✅ Commitlint (PR title)
 
 **Release (merge в main):**
-- 📦 Сборка пакета
+- 📦 Semantic release (auto versioning)
-- 🚀 Публикация в Gitea Packages
+- 📝 CHANGELOG generation
-- 📚 Деплой документации
+- 🏷️ Git tag creation
 
 **Tag (v*):**
-- 🏷️ Создание релиза
+- 📦 Сборка пакета
-- 📦 Публикация версии
+- 🚀 Публикация в Gitea Packages
 
 ## Versioning
 

pyproject.toml

@@ -36,6 +36,7 @@ dev = [
     "respx>=0.20.0",
     "ruff>=0.3.0",
     "semantic-release>=24.0.0",
+    "pip-audit>=2.7.0",
 ]
 
 [project.urls]