ci: add ruff, pip-audit, CodeQL, and least-privilege permissions

[KristianP26]

Summary

Strengthens CI with linting/formatting, least-privilege permissions, supply-chain CVE scanning, and static security analysis.

Changes

• ruff — new ruff.toml (line-length 100, target-version py311). Fixed existing lint findings (unused imports; one load-bearing unused binding in main.py kept with # noqa: F841) and applied ruff format across the codebase. New lint job runs ruff check + ruff format --check.
• Least-privilege permissions — ci.yml now declares top-level permissions: contents: read; codeql.yml scopes its own.
• pip-audit — new audit job scans requirements.txt + requirements-build.txt for known CVEs (runs on Python 3.12 so the pyinstaller pin resolves). Currently clean.
• CodeQL — new codeql.yml running Python static analysis on push/PR to main and weekly.

Commits

Split into focused commits: ruff config → lint fixes → format → CI jobs → CodeQL → docs.

Verification

ruff check src/ tests/          # All checks passed!
ruff format --check src/ tests/ # already formatted
python -m unittest discover -s tests   # 36 passing

Note

The repo-wide ruff format commit will conflict with the open custom-hotkeys PR (#13), which rewrites several of the same files. Suggested order: merge #13 first, then rebase this branch and re-run ruff format.

ruff is pinned to 0.15.15 in the workflow; since it isn't a requirements manifest, Dependabot won't bump it — update manually when desired.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[DavidHruby1]

Please rebase this onto current and resolve the conflicts before reopening. Also, this PR currently mixes CI/CD changes with Ruff/security code edits in src/ and tests/, so if the intent is to keep it as a pipeline PR, please split the non-CI changes out or confirm the bundled scope. Once it’s clean and up to date, I can merge it without touching the branch myself.

[DavidHruby1]

Please rebase this onto the current base branch and resolve the conflicts before reopening. Also, this PR currently mixes CI/CD changes with Ruff/security code edits in src/ and tests/, so if the intent is to keep it as a pipeline PR, please split the non-CI changes out or confirm the bundled scope. Once it’s clean and up to date, I can merge it without touching the branch myself.

[KristianP26]

Rebased onto current main and force-pushed — conflicts resolved, the branch now shows as mergeable. The repo-wide ruff format and lint fixes were regenerated against the new base (same ruff 0.15.15 as the CI pin), and the four iterative CodeQL masking commits were squashed into one; the resulting diff is logically identical to the original PR.

On scope: confirming the bundled scope. The src//tests/ edits are exactly what the new CI jobs enforce — without the lint fixes, format pass, and the config CLI masking, the lint and CodeQL jobs added here would fail on their own PR. Splitting them out would just create a second PR this one hard-depends on.

Verification on the rebased branch:

ruff check src/ tests/          # All checks passed!
ruff format --check src/ tests/ # 26 files already formatted
python -m unittest discover -s tests   # 84 tests, OK