ci: fix pip-audit invocation to scan exported requirements

`uvx pip-audit --disable-pip` requires `-r` plus either hashed
requirements or `--no-deps`. The previous invocation crashed at start.

Now: export the locked deps via `uv export --no-hashes --no-emit-project`
into a tmp requirements file (skipping the local editable install of
the project itself), then feed that to pip-audit with `--disable-pip
--no-deps`. Verified locally -- no known vulnerabilities found across
the 85 locked transitive deps.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/workflows/python-tests.yml

@@ -62,8 +62,10 @@ jobs:
           from socketsecurity.config import CliConfig
           print('import smoke OK')
           "
-      - name: 🛡️ pip-audit (known CVEs in the synced env)
-        run: uvx pip-audit --strict --disable-pip --progress-spinner off
+      - name: 🛡️ pip-audit (known CVEs in the locked deps)
+        run: |
+          uv export --no-hashes --no-emit-project --format requirements-txt > /tmp/req-audit.txt
+          uvx pip-audit --strict --progress-spinner off --disable-pip --no-deps -r /tmp/req-audit.txt
 
   unsupported-python-install:
     runs-on: ubuntu-latest