chore: add github workflows

Author: liningping

.github/workflows/validate.yaml

@@ -0,0 +1,67 @@
+name: Validate
+
+on:
+  push:
+  pull_request:
+
+env:
+  PIP_DISABLE_PIP_VERSION_CHECK: true
+  PIP_INDEX_URL: https://mirrors.ustc.edu.cn/pypi/simple
+  PIP_PROGRESS_BAR: off
+  PIP_ROOT_USER_ACTION: ignore
+
+jobs:
+  create-venv:
+    runs-on: ubuntu-latest
+    name: Setup Python + uv
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install uv and dependencies
+        run: |
+          pip install uv
+          uv venv
+          uv pip install --group bandit --group mypy --group ruff --group secret
+        env:
+          PIP_INDEX_URL: ${{ env.PIP_INDEX_URL }}
+
+      - name: Save env variable
+        run: echo "PYPI_MIRROR=${{ env.PIP_INDEX_URL }}" >> $GITHUB_ENV
+
+  bandit:
+    runs-on: ubuntu-latest
+    needs: create-venv
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run bandit
+        run: .venv/bin/bandit -c pyproject.toml -r .
+
+  mypy:
+    runs-on: ubuntu-latest
+    needs: create-venv
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run mypy
+        run: .venv/bin/mypy .
+
+  ruff:
+    runs-on: ubuntu-latest
+    needs: create-venv
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run ruff
+        run: .venv/bin/ruff check .
+
+  secrets:
+    runs-on: ubuntu-latest
+    needs: create-venv
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run detect-secrets
+        run: .venv/bin/detect-secrets-hook --baseline .secrets.baseline