Add Gitea Actions workflows, CI config, and docs

SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy — ${REPO_NAME}
+
+## Reporting a Vulnerability
+
+**Do NOT open a public issue for security vulnerabilities.**
+
+Instead, please report vulnerabilities privately:
+
+1. Email: **security@hiddenden.cafe** (preferred)
+2. Or use the Gitea "Security" issue template which reminds reporters to use private channels.
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+We aim to acknowledge reports within **48 hours** and provide a fix or mitigation plan
+within **7 days** for critical issues.
+
+## Supported Versions
+
+| Version | Supported |
+| ------- | --------- |
+| latest  | Yes       |
+
+## Security Scanning
+
+This repository optionally runs automated security scanning via Gitea Actions.
+To enable it, set `ENABLE_SECURITY=true` in `.ci/config.env`.
+See [docs/SECURITY.md](docs/SECURITY.md) for details.