diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
new file mode 100644
index 0000000..a54c43f
--- /dev/null
+++ b/.forgejo/workflows/ci.yml
@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+
+jobs:
+  test:
+    runs-on: docker
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install system dependencies
+        run: |
+          apt-get update
+          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends python3-venv pipx 
+
+      - name: Install Poetry
+        run: |
+          pipx install poetry==1.8.3
+          /root/.local/bin/poetry --version
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Install project deps (including test extras)
+        run: |
+          poetry install --with test
+
+      - name: Run test script
+        run: |
+          ./tests.sh
+
diff --git a/.forgejo/workflows/lint.yml b/.forgejo/workflows/lint.yml
new file mode 100644
index 0000000..60768d8
--- /dev/null
+++ b/.forgejo/workflows/lint.yml
@@ -0,0 +1,26 @@
+name: Lint
+
+on:
+  push:
+
+jobs:
+  test:
+    runs-on: docker
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install system dependencies
+        run: |
+          apt-get update
+          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+            black pyflakes3 python3-bandit
+
+      - name: Run linters
+        run: |
+          black --diff --check src/*
+          black --diff --check tests/*
+          pyflakes3 src/*
+          pyflakes3 tests/*
+          bandit -s B110 -r src/
diff --git a/.forgejo/workflows/trivy.yml b/.forgejo/workflows/trivy.yml
new file mode 100644
index 0000000..18ced32
--- /dev/null
+++ b/.forgejo/workflows/trivy.yml
@@ -0,0 +1,26 @@
+name: Trivy
+
+on:
+  schedule:
+    - cron: '0 1 * * *'
+  push:
+
+jobs:
+  test:
+    runs-on: docker
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install system dependencies
+        run: |
+          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends wget gnupg
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | tee /usr/share/keyrings/trivy.gpg > /dev/null
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list
+          apt-get update
+          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends trivy
+
+      - name: Run trivy
+        run: |
+          trivy fs --no-progress --ignore-unfixed --format table --disable-telemetry .