ci: add cargo-audit supply-chain gate, drop orphaned -git PKGBUILD

Hygiene audit found deps clean but CI ran no vulnerability scan, so a
future advisory against a locked crate would go undetected. Add an
Audit workflow running cargo audit on push/PR — parses Cargo.lock,
needs no GTK4 build env.

Remove pkg/PKGBUILD: orphaned moonlock-git VCS recipe from the
pre-tag-build era, two minors behind; canonical packaging lives in
moonarch-pkgbuilds and is auto-bumped by update-pkgver.yaml. Drop the
now-dead pkg/* makepkg ignore lines and add .pytest_cache/.

No version bump — no change to the binary.

.gitea/workflows/ci.yaml

@@ -0,0 +1,22 @@
+# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
+# ABOUTME: Supply-chain gate — fails on a known advisory.
+
+name: Audit
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  cargo-audit:
+    runs-on: moonarch
+    steps:
+      - name: Checkout
+        run: git clone http://gitea:3000/nevaforget/moonlock.git src
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Audit
+        run: cd src && cargo audit