add shared no-tracked-dotenv CI guard

Add the shared dotenv guard script and enforce it in CI to block tracked .env* and *.env files outside .secrets.

.gitea/workflows/no-tracked-dotenv.yml

@@ -0,0 +1,16 @@
+name: no-tracked-dotenv
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  verify-no-tracked-dotenv:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Ensure no tracked dotenv files
+        run: bash scripts/check-no-tracked-dotenv-files.sh

scripts/check-no-tracked-dotenv-files.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TARGET_REPO="${1:-$(pwd)}"
+ALLOWED_PREFIX="${2:-.secrets/}"
+TAG="${3:-[check-no-tracked-dotenv]}"
+ALLOWLIST_FILE="${4:-}"
+
+if [[ ! -d "${TARGET_REPO}/.git" ]]; then
+	echo "${TAG} ERR not a git repository: ${TARGET_REPO}" >&2
+	exit 1
+fi
+
+tracked_dotenv="$(
+	git -C "$TARGET_REPO" ls-files | awk -v allowed="$ALLOWED_PREFIX" '
+		/(^|\/)(\.env($|\.|\/)|[^\/]+\.env($|\/))/ {
+			if ($0 !~ ("^" allowed)) print
+		}
+	'
+)"
+
+if [[ -n "$ALLOWLIST_FILE" && -f "$ALLOWLIST_FILE" ]]; then
+	filtered_dotenv=""
+	while IFS= read -r dotenv_path; do
+		[[ -z "$dotenv_path" ]] && continue
+		allowed_match=0
+		while IFS= read -r allowed_path; do
+			allowed_trimmed="$(printf '%s' "$allowed_path" | awk '{$1=$1;print}')"
+			[[ -z "$allowed_trimmed" ]] && continue
+			[[ "$allowed_trimmed" == \#* ]] && continue
+			if [[ "$dotenv_path" == "$allowed_trimmed" ]]; then
+				allowed_match=1
+				break
+			fi
+		done < "$ALLOWLIST_FILE"
+		if [[ "$allowed_match" -eq 0 ]]; then
+			filtered_dotenv+="${dotenv_path}"$'\n'
+		fi
+	done <<< "$tracked_dotenv"
+	tracked_dotenv="${filtered_dotenv%$'\n'}"
+fi
+
+if [[ -n "$tracked_dotenv" ]]; then
+	echo "${TAG} ERR tracked .env files are forbidden outside ${ALLOWED_PREFIX}" >&2
+	printf '%s\n' "$tracked_dotenv" >&2
+	exit 1
+fi
+
+echo "${TAG} OK"