From 3483b42b742a8c49369f7c9cfcea295f95f6a563 Mon Sep 17 00:00:00 2001
From: Markus Maiwald <markus@sovereign-society.org>
Date: Sun, 15 Feb 2026 20:04:42 +0100
Subject: [PATCH] ci: add Forgejo Actions workflow

---
 .forgejo/workflows/ci.yml | 55 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 .forgejo/workflows/ci.yml

diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
new file mode 100644
index 0000000..6a662df
--- /dev/null
+++ b/.forgejo/workflows/ci.yml
@@ -0,0 +1,55 @@
+# NIP Package Manager CI
+name: NIP CI
+
+on:
+  push:
+    branches: [unstable, main, stable, testing]
+  pull_request:
+    branches: [unstable, main]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Verify toolchain
+        run: nim --version | head -1
+
+      - name: Install dependencies
+        run: |
+          nimble refresh 2>/dev/null || true
+          nimble install -y xxhash 2>/dev/null || echo "WARN: xxhash install failed"
+
+      - name: Build (release)
+        run: nim c -d:release --opt:speed --hints:off -o:nip nip.nim
+
+      - name: Verify binary
+        run: |
+          ls -lh nip
+          file nip
+
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for sensitive content
+        run: |
+          FAIL=0
+          for dir in .agent .vscode .kiro competitors; do
+            if [ -d "$dir" ]; then
+              echo "FAIL: Sensitive directory '$dir' found"
+              FAIL=1
+            fi
+          done
+          MATCHES=$(git grep -l '/home/markus' -- ':!.forgejo/' 2>/dev/null || true)
+          if [ -n "$MATCHES" ]; then
+            echo "FAIL: Internal paths found in:"
+            echo "$MATCHES"
+            FAIL=1
+          fi
+          if [ $FAIL -eq 1 ]; then exit 1; fi
+          echo "Security scan PASSED"