gitlab-ci: port to Safety 3.x and move to own job

https://docs.safetycli.com/safety-docs/installation/gitlab
https://docs.safetycli.com/safety-docs/administration/safety-policy-files

.gitlab-ci.yml

@@ -213,7 +213,7 @@ gradlew-fdroid:
 
 
 # Run all the various linters and static analysis tools.
-lint_format_safety_bandit_checks:
+lint_format_bandit_checks:
   image: debian:bookworm-slim
   variables:
     LANG: C.UTF-8
@@ -235,7 +235,7 @@ lint_format_safety_bandit_checks:
           python3-pip
           python3-yaml
           shellcheck
-    - $pip install --break-system-packages bandit safety
+    - $pip install --break-system-packages bandit
     - export EXITVALUE=0
     - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }
     - ./hooks/pre-commit || set_error
@@ -244,7 +244,6 @@ lint_format_safety_bandit_checks:
         -ii
         --ini .bandit
         || set_error
-    - safety check --full-report || set_error
     - pylint --output-format=colorized --reports=n
             fdroid
             makebuildserver
@@ -258,6 +257,34 @@ lint_format_safety_bandit_checks:
     - exit $EXITVALUE
 
 
+# Check all the dependencies in Debian to mirror production.  CVEs are
+# generally fixed in the latest versions in pip/pypi.org, so it isn't
+# so important to scan that kind of install in CI.
+# https://docs.safetycli.com/safety-docs/installation/gitlab
+safety:
+  only:
+    changes:
+      - .gitlab-ci.yml
+      - .safety-policy.yml
+      - pyproject.toml
+      - setup.py
+  image: debian:bookworm-slim
+  <<: *apt-template
+  variables:
+    LANG: C.UTF-8
+  script:
+    - test -n "$SAFETY_API_KEY" || exit 0
+    - apt-get install
+        fdroidserver
+        python3-biplist
+        python3-pip
+        python3-pycountry
+    - $pip install --break-system-packages .
+
+    - $pip install --break-system-packages safety
+    - python3 -m safety --key "$SAFETY_API_KEY" --stage cicd scan
+
+
 # Run all the various linters and static analysis tools.
 locales:
   image: debian:bookworm-slim

.safety-policy.yml

@@ -1,7 +1,16 @@
 ---
 
-security:
+version: '3.0'
-  ignore-vulnerabilities:
+
+scanning-settings:
+  max-depth: 6
+  exclude:
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      vulnerabilities:
         52495:
           reason: setuptools comes from Debian
           expires: '2025-01-31'
@@ -32,3 +41,15 @@ security:
         72236:
           reason: setuptools comes from Debian
           expires: '2026-08-31'
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - critical
+        - high
+        - medium
+
+security-updates:
+  dependency-vulnerabilities: