Add CI policy, strengthen hash-pinning rule, add Gitea Actions workflow

- All Dockerfiles must run make check as a build step
- Every repo needs a Gitea Actions workflow running docker build on push
- Greatly strengthen the hash-pinning rule: explicitly list all reference
  types, ban curl|bash installs, mark as most important rule in document
- Add model .gitea/workflows/check.yml pinned by commit hash

.gitea/workflows/check.yml

@@ -0,0 +1,9 @@
+name: check
+on: [push]
+jobs:
+    check:
+        runs-on: ubuntu-latest
+        steps:
+            # actions/checkout v4.2.2, 2026-02-22
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+            - run: docker build .

prompts/EXISTING_REPO_CHECKLIST.md

@@ -24,7 +24,10 @@ with your task.
       fetch from `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore`
       if missing
 - [ ] `.editorconfig` exists
-- [ ] `Dockerfile` and `.dockerignore` exist
+- [ ] `Dockerfile` and `.dockerignore` exist; Dockerfile runs `make check` as a
+      build step
+- [ ] Gitea Actions workflow in `.gitea/workflows/` runs `docker build .` on
+      push
 - [ ] Language-specific config:
     - [ ] Go: `go.mod`, `go.sum`, `.golangci.yml`
     - [ ] JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`

prompts/NEW_REPO_CHECKLIST.md

@@ -43,9 +43,12 @@ Template files can be fetched from:
 - [ ] `REPO_POLICIES.md` — fetch from `prompts/REPO_POLICIES.md` in the prompts
       repo
 - [ ] `Dockerfile` and `.dockerignore`
-    - Server: runs the application
+    - All Dockerfiles must run `make check` as a build step
+    - Server: also builds and runs the application
     - Non-server: brings up dev environment and runs `make check`
     - Image pinned by sha256 hash with version/date comment
+- [ ] Gitea Actions workflow at `.gitea/workflows/check.yml` that runs
+      `docker build .` on push
 - [ ] Language-specific:
     - [ ] Go: `go mod init sneak.berlin/go/<name>`, `.golangci.yml` (copy from
           `~/dev/upaas/.golangci.yml`)

prompts/REPO_POLICIES.md

@@ -6,9 +6,19 @@ Version: 2026-02-22
   `Version: YYYY-MM-DD` line near the top so it can be kept in sync with the
   authoritative source as policies evolve.
 
-- All references to Docker images, Go modules, and packages must use
+- **ALL external references must be pinned by cryptographic hash.** This
-  cryptographic hashes. Mutable references (tags, `@latest`, etc.) are remote
+  includes Docker base images, Go modules, npm packages, GitHub Actions, and
-  code execution vulnerabilities.
+  anything else fetched from a remote source. Version tags (`@v4`, `@latest`,
+  `:3.21`, etc.) are server-mutable and therefore remote code execution
+  vulnerabilities. The ONLY acceptable way to reference an external dependency
+  is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm
+  integrity hash in lockfile, GitHub Actions `@<commit-sha>`). No exceptions.
+  This also means never `curl | bash` to install tools like pyenv, nvm, rustup,
+  etc. Instead, download a specific release archive from GitHub, verify its hash
+  (hardcoded in the Dockerfile or script), and only then install. Unverified
+  install scripts are arbitrary remote code execution. This is the single most
+  important rule in this document. Double-check every external reference in
+  every file before committing. There are zero exceptions to this rule.
 
 - Every repo with software must have a root `Makefile` with these targets:
   `make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only),
@@ -20,9 +30,15 @@ Version: 2026-02-22
   instead of invoking the underlying tools directly. The Makefile is the single
   source of truth for how these operations are run.
 
-- Every repo should have a `Dockerfile`. For non-server repos, the Dockerfile
+- Every repo should have a `Dockerfile`. All Dockerfiles must run `make check`
-  should bring up a development environment and run `make check` (the build
+  as a build step so the build fails if the branch is not green. For non-server
-  should fail if the branch is not green).
+  repos, the Dockerfile should bring up a development environment and run
+  `make check`. For server repos, `make check` should run as an early build
+  stage before the final image is assembled.
+
+- Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that
+  runs `docker build .` on push. Since the Dockerfile already runs `make check`,
+  a successful build implies all checks pass.
 
 - Use platform-standard formatters: `black` for Python, `prettier` for
   JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with
@@ -129,6 +145,7 @@ Version: 2026-02-22
     - `README.md`, `.git`, `.gitignore`, `.editorconfig`
     - `REPO_POLICIES.md` (copy from the `prompts` repo)
     - `Dockerfile`, `.dockerignore`
+    - `.gitea/workflows/check.yml`
     - Go: `go.mod`, `go.sum`, `.golangci.yml`
     - JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
     - Python: `pyproject.toml`