---
trigger: always_on
---

- Secrets via environment variables; never commit secrets. Provide deploy/.env.example.
- Pin dependencies and enable vulnerability scanning where available in Gitea.