ci: rework pipeline to dev → testing → main promotion

- Add merge-to-testing job: after all CI checks pass on dev, auto-merge
  into testing with --no-ff for clear merge history
- Move open-pr job to trigger on testing branch instead of dev
- PR now opens testing → main instead of dev → main
- Add bandit and pip-audit jobs to pr.yml PR gate for full suite coverage
- PR gate test job now installs dev dependencies consistently

.gitea/workflows/ci.yml

@@ -56,18 +56,39 @@ jobs:
       - run: pip install -e .[dev]
       - run: pip-audit --skip-editable
 
+  merge-to-testing:
+    name: Merge dev → testing
+    runs-on: ubuntu-latest
+    needs: [lint, test, bandit, pip-audit]
+    if: github.ref == 'refs/heads/dev'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.DECNET_PR_TOKEN }}
+      - name: Configure git
+        run: |
+          git config user.name "DECNET CI"
+          git config user.email "ci@decnet.local"
+      - name: Merge dev into testing
+        run: |
+          git fetch origin testing
+          git checkout testing
+          git merge origin/dev --no-ff -m "ci: auto-merge dev → testing"
+          git push origin testing
+
   open-pr:
     name: Open PR to main
     runs-on: ubuntu-latest
     needs: [lint, test, bandit, pip-audit]
-    if: github.ref == 'refs/heads/dev'
+    if: github.ref == 'refs/heads/testing'
     steps:
       - name: Open PR via Gitea API
         run: |
           echo "--- Checking for existing open PRs ---"
           LIST_RESPONSE=$(curl -s \
             -H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \
-            "https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls?state=open&head=anti:dev&base=main&limit=5")
+            "https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls?state=open&head=anti:testing&base=main&limit=5")
           echo "$LIST_RESPONSE"
           EXISTING=$(echo "$LIST_RESPONSE" | python3 -c "import sys, json; print(len(json.load(sys.stdin)))")
           echo "Open PRs found: $EXISTING"
@@ -80,10 +101,10 @@ jobs:
             -H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \
             -H "Content-Type: application/json" \
             -d '{
-              "title": "Auto PR: dev → main",
+              "title": "Auto PR: testing → main",
-              "head": "dev",
+              "head": "testing",
               "base": "main",
-              "body": "All CI and security checks passed. Review and merge when ready."
+              "body": "All CI and security checks passed on both dev and testing. Review and merge when ready."
             }' \
             "https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls")
           echo "$CREATE_RESPONSE"

.gitea/workflows/pr.yml

@@ -30,5 +30,28 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - run: pip install -e .
+      - run: pip install -e .[dev]
       - run: pytest tests/ -v --tb=short
+
+  bandit:
+    name: SAST (bandit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install bandit
+      - run: bandit -r decnet/ -ll -x decnet/services/registry.py
+
+  pip-audit:
+    name: Dependency audit (pip-audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install pip-audit
+      - run: pip install -e .[dev]
+      - run: pip-audit --skip-editable