From 262a8be32641eddbf9f51fd89ef0e0e895a643ab Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sat, 16 May 2026 18:55:32 -0400
Subject: [PATCH] ci: migrate from GitHub Actions to Gitea Actions

Move workflows to .gitea/workflows and adapt for git.farh.net:
- Push container images to git.farh.net instead of GHCR/Docker Hub
- Publish Helm chart as OCI artifact (no gh-pages, Gitea lacks Pages)
- Replace cosign keyless signing with key-based (COSIGN_PRIVATE_KEY/PASSWORD/PUBLIC_KEY)
- Swap @semantic-release/github for semantic-release-gitea
- Drop gh CLI from rollback workflow
- Use GITEA_TOKEN for registry auth and release creation
- Add Artifact Hub annotations to Chart.yaml
- Run on ubuntu-latest

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 {.github => .gitea}/workflows/ci.yml          | 26 ++---
 .gitea/workflows/helm-release.yml             | 41 ++++++++
 .../workflows/release-beta.yml                | 75 ++++++++-------
 {.github => .gitea}/workflows/release.yml     | 94 +++++++++++--------
 .../workflows/rollback-beta.yml               |  2 +-
 {.github => .gitea}/workflows/rollback.yml    | 39 ++++----
 .github/workflows/helm-release.yml            | 53 -----------
 .gitignore                                    |  2 +
 .releaserc.json                               |  9 +-
 charts/hightower/Chart.yaml                   | 21 +++++
 10 files changed, 193 insertions(+), 169 deletions(-)
 rename {.github => .gitea}/workflows/ci.yml (80%)
 create mode 100644 .gitea/workflows/helm-release.yml
 rename {.github => .gitea}/workflows/release-beta.yml (68%)
 rename {.github => .gitea}/workflows/release.yml (68%)
 rename {.github => .gitea}/workflows/rollback-beta.yml (98%)
 rename {.github => .gitea}/workflows/rollback.yml (72%)
 delete mode 100644 .github/workflows/helm-release.yml

diff --git a/.github/workflows/ci.yml b/.gitea/workflows/ci.yml
similarity index 80%
rename from .github/workflows/ci.yml
rename to .gitea/workflows/ci.yml
index a25e847..74e0e57 100644
--- a/.github/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -16,7 +16,7 @@ concurrency:
 jobs:
   check:
     name: Type-check & lint
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -43,7 +43,7 @@ jobs:
     name: Build & push worker image
     needs: check
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
@@ -55,12 +55,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          registry: ghcr.io
+          registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Build and push worker image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -68,14 +68,14 @@ jobs:
           context: .
           push: true
           tags: |
-            ghcr.io/farhoodlabs/trebuchet:latest
-            ghcr.io/farhoodlabs/trebuchet:sha-${{ github.sha }}
+            git.farh.net/farhoodlabs/trebuchet:latest
+            git.farh.net/farhoodlabs/trebuchet:sha-${{ github.sha }}
 
   build-api:
     name: Build & push API image
     needs: check
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
@@ -87,12 +87,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          registry: ghcr.io
+          registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -102,5 +102,5 @@ jobs:
           push: true
           no-cache: true
           tags: |
-            ghcr.io/farhoodlabs/trebuchet-api:latest
-            ghcr.io/farhoodlabs/trebuchet-api:sha-${{ github.sha }}
+            git.farh.net/farhoodlabs/trebuchet-api:latest
+            git.farh.net/farhoodlabs/trebuchet-api:sha-${{ github.sha }}
diff --git a/.gitea/workflows/helm-release.yml b/.gitea/workflows/helm-release.yml
new file mode 100644
index 0000000..e022893
--- /dev/null
+++ b/.gitea/workflows/helm-release.yml
@@ -0,0 +1,41 @@
+name: Helm Chart Release
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'charts/hightower/**'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  release:
+    name: Lint, package & push OCI
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install Helm
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+
+      - name: Lint chart
+        run: helm lint charts/hightower
+
+      - name: Package chart
+        run: |
+          mkdir -p .helm-packages
+          helm package charts/hightower -d .helm-packages
+
+      - name: Log in to Gitea OCI registry
+        run: |
+          echo "${{ secrets.GITEA_TOKEN }}" | helm registry login git.farh.net \
+            --username "${{ github.actor }}" \
+            --password-stdin
+
+      - name: Push chart to Gitea OCI registry
+        run: |
+          PACKAGE=$(ls .helm-packages/*.tgz | head -1)
+          helm push "$PACKAGE" oci://git.farh.net/farhoodlabs/charts
diff --git a/.github/workflows/release-beta.yml b/.gitea/workflows/release-beta.yml
similarity index 68%
rename from .github/workflows/release-beta.yml
rename to .gitea/workflows/release-beta.yml
index 6fcdd9a..9bbd5e2 100644
--- a/.github/workflows/release-beta.yml
+++ b/.gitea/workflows/release-beta.yml
@@ -13,7 +13,7 @@ concurrency:
 jobs:
   preflight:
     name: Preflight
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.version.outputs.version }}
 
@@ -35,7 +35,6 @@ jobs:
           if [[ -z "$LATEST" ]]; then
             echo "version=1.0.0-beta.1" >> "$GITHUB_OUTPUT"
           else
-            # Extract N from 1.0.0-beta.N and increment
             N=$(echo "$LATEST" | grep -oE 'beta\.([0-9]+)' | grep -oE '[0-9]+')
             NEXT=$((N + 1))
             echo "version=1.0.0-beta.$NEXT" >> "$GITHUB_OUTPUT"
@@ -47,9 +46,10 @@ jobs:
   build-docker:
     name: Build Docker (worker)
     needs: preflight
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: write
 
     steps:
       - name: Checkout
@@ -58,11 +58,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Build and push worker image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -71,14 +72,15 @@ jobs:
           push: true
           provenance: mode=max
           sbom: true
-          tags: farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
+          tags: git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
 
   build-docker-api:
     name: Build Docker (API)
     needs: preflight
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: write
 
     steps:
       - name: Checkout
@@ -87,11 +89,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -101,15 +104,15 @@ jobs:
           push: true
           provenance: mode=max
           sbom: true
-          tags: farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
+          tags: git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
 
   sign-docker:
     name: Sign Docker images
     needs: [preflight, build-docker, build-docker-api]
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
+      packages: write
     outputs:
       worker_digest: ${{ steps.inspect-worker.outputs.digest }}
       api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -118,57 +121,63 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Inspect worker image
         id: inspect-worker
         run: |
-          docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
-          DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
+          docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
+          DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
           echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Inspect API image
         id: inspect-api
         run: |
-          docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
-          DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
+          docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
+          DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
           echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Install cosign
         uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
       - name: Sign worker image
-        run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
 
       - name: Sign API image
-        run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
 
       - name: Verify worker image signature
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
         run: |
           sleep 10
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
-            "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+            "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
 
       - name: Verify API image signature
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
         run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release-beta.yml@${{ github.ref }} \
-            "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+            "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
 
   publish-npm:
     name: Publish npm (beta)
     needs: [preflight, sign-docker]
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
 
     steps:
       - name: Checkout
diff --git a/.github/workflows/release.yml b/.gitea/workflows/release.yml
similarity index 68%
rename from .github/workflows/release.yml
rename to .gitea/workflows/release.yml
index 21a8551..18ac2a0 100644
--- a/.github/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -13,7 +13,7 @@ concurrency:
 jobs:
   preflight:
     name: Preflight
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: write
     outputs:
@@ -42,11 +42,12 @@ jobs:
         id: probe
         shell: bash
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITEA_URL: https://git.farh.net
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
         run: |
           set -euo pipefail
 
-          npx semantic-release@25 --dry-run --no-ci 2>&1 | tee semantic-release.log
+          npx -p semantic-release@25 -p semantic-release-gitea semantic-release --dry-run --no-ci 2>&1 | tee semantic-release.log
 
           if grep -qi "the next release version is" semantic-release.log; then
             echo "should_release=true" >> "$GITHUB_OUTPUT"
@@ -60,9 +61,10 @@ jobs:
     name: Build Docker (worker)
     needs: preflight
     if: needs.preflight.outputs.should_release == 'true'
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: write
 
     steps:
       - name: Checkout
@@ -71,11 +73,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Build and push worker image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -85,16 +88,17 @@ jobs:
           provenance: mode=max
           sbom: true
           tags: |
-            farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
-            farhoodlabs/trebuchet:latest
+            git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}
+            git.farh.net/farhoodlabs/trebuchet:latest
 
   build-docker-api:
     name: Build Docker (API)
     needs: preflight
     if: needs.preflight.outputs.should_release == 'true'
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: write
 
     steps:
       - name: Checkout
@@ -103,11 +107,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -118,16 +123,16 @@ jobs:
           provenance: mode=max
           sbom: true
           tags: |
-            farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
-            farhoodlabs/trebuchet-api:latest
+            git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}
+            git.farh.net/farhoodlabs/trebuchet-api:latest
 
   sign-docker:
     name: Sign Docker images
     needs: [preflight, build-docker, build-docker-api]
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
+      packages: write
     outputs:
       worker_digest: ${{ steps.inspect-worker.outputs.digest }}
       api_digest: ${{ steps.inspect-api.outputs.digest }}
@@ -136,57 +141,63 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Inspect worker image
         id: inspect-worker
         run: |
-          docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
-          DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
+          docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}"
+          DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
           echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Inspect API image
         id: inspect-api
         run: |
-          docker buildx imagetools inspect "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
-          DIGEST="sha256:$(docker buildx imagetools inspect --raw "farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
+          docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}"
+          DIGEST="sha256:$(docker buildx imagetools inspect --raw "git.farh.net/farhoodlabs/trebuchet-api:${{ needs.preflight.outputs.version }}" | sha256sum | cut -d' ' -f1)"
           echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Install cosign
         uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
       - name: Sign worker image
-        run: cosign sign --yes "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
 
       - name: Sign API image
-        run: cosign sign --yes "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: cosign sign --yes --key env://COSIGN_PRIVATE_KEY "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
 
       - name: Verify worker image signature
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
         run: |
           sleep 10
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
-            "farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+            "git.farh.net/farhoodlabs/trebuchet@${{ steps.inspect-worker.outputs.digest }}"
 
       - name: Verify API image signature
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
         run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
-            "farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+            "git.farh.net/farhoodlabs/trebuchet-api@${{ steps.inspect-api.outputs.digest }}"
 
   publish-npm:
     name: Publish npm
     needs: [preflight, sign-docker]
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write
 
     steps:
       - name: Checkout
@@ -226,9 +237,9 @@ jobs:
           fi
 
   release:
-    name: Create GitHub release
+    name: Create Gitea release
     needs: [preflight, publish-npm]
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     permissions:
       contents: write
 
@@ -250,7 +261,8 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Create GitHub release
+      - name: Create Gitea release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npx semantic-release@25
+          GITEA_URL: https://git.farh.net
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        run: npx -p semantic-release@25 -p semantic-release-gitea semantic-release
diff --git a/.github/workflows/rollback-beta.yml b/.gitea/workflows/rollback-beta.yml
similarity index 98%
rename from .github/workflows/rollback-beta.yml
rename to .gitea/workflows/rollback-beta.yml
index 98fd610..848d882 100644
--- a/.github/workflows/rollback-beta.yml
+++ b/.gitea/workflows/rollback-beta.yml
@@ -18,7 +18,7 @@ concurrency:
 jobs:
   rollback:
     name: Roll back npm beta dist-tag
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     steps:
       - name: Validate target version
         id: target
diff --git a/.github/workflows/rollback.yml b/.gitea/workflows/rollback.yml
similarity index 72%
rename from .github/workflows/rollback.yml
rename to .gitea/workflows/rollback.yml
index 217e291..c4c34bd 100644
--- a/.github/workflows/rollback.yml
+++ b/.gitea/workflows/rollback.yml
@@ -17,8 +17,8 @@ concurrency:
 
 jobs:
   rollback:
-    name: Roll back npm, Docker, and GitHub release latest
-    runs-on: runners-farhoodlabs
+    name: Roll back npm and Docker latest
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout tags
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -74,48 +74,44 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      - name: Log in to Docker Hub
+      - name: Log in to Gitea registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Verify Docker image tag exists
-        run: docker buildx imagetools inspect "farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
+        run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
 
       - name: Install cosign
         uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
       - name: Verify Docker image signature before rollback
+        env:
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
         run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/heads/main" \
-            "farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
+          cosign verify --key env://COSIGN_PUBLIC_KEY \
+            "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
 
       - name: Move Docker latest
         run: |
           docker buildx imagetools create \
-            --tag "farhoodlabs/trebuchet:latest" \
-            "farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
+            --tag "git.farh.net/farhoodlabs/trebuchet:latest" \
+            "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"
 
       - name: Move npm latest
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm dist-tag add "@trebuchet/cli@${{ steps.target.outputs.version }}" latest
 
-      - name: Mark GitHub release as latest
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh release edit "v${{ steps.target.outputs.version }}" --latest
-
       - name: Show final npm dist-tags
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm dist-tag ls @trebuchet/cli
 
       - name: Verify Docker latest now points to target
-        run: docker buildx imagetools inspect "farhoodlabs/trebuchet:latest"
+        run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:latest"
 
       - name: Write summary
         run: |
@@ -124,6 +120,9 @@ jobs:
             echo ""
             echo "- Target version: \`${{ steps.target.outputs.version }}\`"
             echo "- npm package: \`@trebuchet/cli\`"
-            echo "- Docker image: \`farhoodlabs/trebuchet\`"
-            echo "- GitHub release: \`v${{ steps.target.outputs.version }}\` marked as latest"
+            echo "- Docker image: \`git.farh.net/farhoodlabs/trebuchet\`"
+            echo ""
+            echo "NOTE: Gitea determines the 'latest' release by date, not a flag."
+            echo "To re-mark \`v${{ steps.target.outputs.version }}\` as the latest"
+            echo "release on Gitea, edit the release in the UI to bump its date."
           } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
deleted file mode 100644
index bd8d615..0000000
--- a/.github/workflows/helm-release.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-name: Helm Chart Release
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - 'charts/hightower/**'
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    name: Lint, package & publish
-    runs-on: runners-farhoodlabs
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Install Helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
-
-      - name: Lint chart
-        run: helm lint charts/hightower
-
-      - name: Package chart
-        run: |
-          mkdir -p .helm-packages
-          helm package charts/hightower -d .helm-packages
-
-      - name: Checkout gh-pages
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: gh-pages
-          path: gh-pages
-          fetch-depth: 0
-
-      - name: Update Helm repo index
-        run: |
-          cp .helm-packages/*.tgz gh-pages/
-          helm repo index gh-pages --url https://farhoodlabs.github.io/hightower
-
-      - name: Push to gh-pages
-        run: |
-          cd gh-pages
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add .
-          git diff --staged --quiet && echo "No changes to commit" && exit 0
-          git commit -m "Release Helm chart $(ls *.tgz | head -1)"
-          git push
diff --git a/.gitignore b/.gitignore
index c24f52e..ca41c18 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ credentials/
 dist/
 repos/
 .turbo/
+cosign.key
+cosign.pub
diff --git a/.releaserc.json b/.releaserc.json
index 6e598cb..1dbc3b4 100644
--- a/.releaserc.json
+++ b/.releaserc.json
@@ -9,13 +9,6 @@
         "npmPublish": false
       }
     ],
-    [
-      "@semantic-release/github",
-      {
-        "successCommentCondition": false,
-        "failCommentCondition": false,
-        "releasedLabels": false
-      }
-    ]
+    "semantic-release-gitea"
   ]
 }
diff --git a/charts/hightower/Chart.yaml b/charts/hightower/Chart.yaml
index 3eeb246..57ac0a1 100644
--- a/charts/hightower/Chart.yaml
+++ b/charts/hightower/Chart.yaml
@@ -4,3 +4,24 @@ description: API-driven AI pentester built on Shannon, deployed as a service on
 type: application
 version: 0.1.1
 appVersion: "1.0.0"
+home: https://git.farh.net/farhoodlabs/trebuchet
+sources:
+  - https://git.farh.net/farhoodlabs/trebuchet
+maintainers:
+  - name: farhoodlabs
+    url: https://git.farh.net/farhoodlabs
+keywords:
+  - security
+  - pentesting
+  - ai
+  - kubernetes
+annotations:
+  artifacthub.io/license: AGPL-3.0
+  artifacthub.io/links: |
+    - name: source
+      url: https://git.farh.net/farhoodlabs/trebuchet
+  artifacthub.io/images: |
+    - name: worker
+      image: git.farh.net/farhoodlabs/trebuchet:latest
+    - name: api
+      image: git.farh.net/farhoodlabs/trebuchet-api:latest