diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
new file mode 100644
index 0000000..50448bd
--- /dev/null
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,69 @@
+---
+# ci-sync: 2026-05-30T02:31:18Z
+# Homelab CI — Docker/heavy lane (git-ci-02)
+name: CI
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  skip-ci-check:
+    runs-on: [homelab, self-hosted, linux]
+    container:
+      image: node:20-bookworm
+    outputs:
+      should-skip: ${{ steps.check.outputs.skip }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - id: check
+        run: |
+          SKIP=0
+          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
+          MSG="${GITHUB_EVENT_HEAD_COMMIT_MESSAGE:-$(git log -1 --pretty=%B 2>/dev/null || true)}"
+          echo "$BRANCH" "$MSG" | grep -qi '@skipci' && SKIP=1
+          echo "skip=$SKIP" >> $GITHUB_OUTPUT
+
+  docker-ci:
+    needs: skip-ci-check
+    if: needs.skip-ci-check.outputs.should-skip != '1'
+    runs-on: [homelab, self-hosted, linux, heavy, docker]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Hadolint
+        run: |
+          shopt -s globstar nullglob
+          found=0
+          for f in Dockerfile docker/**/Dockerfile */Dockerfile; do
+            [ -f "$f" ] || continue
+            found=1
+            # Warnings (unpinned apt/pip) are advisory; only errors fail the job
+            docker run --rm -i hadolint/hadolint hadolint --failure-threshold error - < "$f"
+          done
+          [ "$found" -eq 1 ] || echo "No Dockerfile — skip hadolint"
+
+      - name: Trivy config scan (advisory)
+        run: |
+          docker run --rm -v "$PWD:/repo" aquasec/trivy:latest config /repo || true
+
+  secret-scan:
+    needs: skip-ci-check
+    if: needs.skip-ci-check.outputs.should-skip != '1'
+    runs-on: [homelab, self-hosted, linux, heavy]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Gitleaks
+        run: |
+          extra=""
+          if [ -f .gitleaks.toml ]; then
+            extra="--config /repo/.gitleaks.toml"
+          fi
+          docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \
+            detect --source /repo --no-banner --redact ${extra}
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..3587bd4
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,19 @@
+# Homelab bootstrap — gitleaks allowlist (tests, examples, placeholders)
+title = "homelab gitea bootstrap"
+
+[allowlist]
+description = "Test fixtures and example configs are not production secrets"
+paths = [
+  '''(?i).*\.test\.(ts|tsx|js|jsx|py)$''',
+  '''(?i).*\.spec\.(ts|tsx|js|jsx)$''',
+  '''(?i).*/tests/.*''',
+  '''(?i).*/__tests__/.*''',
+  '''(?i).*\.example\.(yml|yaml|env|json|toml)$''',
+  '''(?i).*vault\.example\.(yml|yaml)$''',
+  '''(?i).*\.env\.example$''',
+]
+regexes = [
+  '''(?i)(invalid|fake|dummy|placeholder|example|changeme|change_me|not-a-real)''',
+  '''(?i)sk-or-invalid''',
+  '''(?i)msk-or-invalid''',
+]