feat(ci): add C# linter and security scanner to PR checks

- dotnet format --verify-no-changes (C# code style linting)
- dotnet list package --vulnerable --include-transitive (NuGet vulnerability check)
- Trivy filesystem scan (CVE, secrets, dependency scanning)

.gitea/workflows/pr-checks.yml

@@ -20,6 +20,31 @@ jobs:
       - name: Restore dependencies
         run: dotnet restore
 
+      # ── Linting ──
+
+      - name: Lint C# code style
+        run: dotnet format --verify-no-changes --verbosity diagnostic
+
+      # ── Security ──
+
+      - name: Check NuGet packages for vulnerabilities
+        run: |
+          dotnet list package --vulnerable --include-transitive 2>&1 | tee nuget-audit.txt
+          if grep -qi "has the following vulnerable packages" nuget-audit.txt; then
+            echo "::error::Vulnerable NuGet packages found!"
+            exit 1
+          fi
+          echo "No vulnerable packages detected."
+
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.60.0
+
+      - name: Trivy filesystem security scan
+        run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
+
+      # ── Build ──
+
       - name: Build Shared
         run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
 
@@ -29,5 +54,7 @@ jobs:
       - name: Build Web (compile check)
         run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
 
+      # ── Tests ──
+
       - name: Run tests
         run: dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --verbosity normal