From 3a5e8782ca932a1b8f17e65b06d4cc302f6ff68e Mon Sep 17 00:00:00 2001
From: aitbc <aitbc@keisanki.net>
Date: Sun, 19 Apr 2026 21:21:49 +0200
Subject: [PATCH] ci: fix venv activation in security scanning workflow

Changed from `source venv/bin/activate` to direct venv/bin/pip-audit and venv/bin/bandit calls to match the pattern used in other workflows for more reliable venv usage.
---
 .gitea/workflows/security-scanning.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/security-scanning.yml b/.gitea/workflows/security-scanning.yml
index 02946a36..74c90138 100644
--- a/.gitea/workflows/security-scanning.yml
+++ b/.gitea/workflows/security-scanning.yml
@@ -52,18 +52,16 @@ jobs:
       - name: Python dependency audit
         run: |
           cd /var/lib/aitbc-workspaces/security-scan/repo
-          source venv/bin/activate
           echo "=== Dependency Audit ==="
-          pip-audit -r requirements.txt --desc
+          venv/bin/pip-audit -r requirements.txt --desc
           echo "✅ Dependency audit completed"
 
       - name: Bandit security scan
         run: |
           cd /var/lib/aitbc-workspaces/security-scan/repo
-          source venv/bin/activate
           echo "=== Bandit Security Scan ==="
           if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            bandit -r apps/ packages/py/ cli/ \
+            venv/bin/bandit -r apps/ packages/py/ cli/ \
               -s B101,B311 \
               --severity-level medium \
               -f txt -q
@@ -76,7 +74,7 @@ jobs:
             fi
 
             printf '%s\n' "${python_files[@]}"
-            bandit \
+            venv/bin/bandit \
               -s B101,B311 \
               --severity-level medium \
               -f txt -q \