diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
new file mode 100644
index 0000000..f71dae3
--- /dev/null
+++ b/.forgejo/workflows/ci.yml
@@ -0,0 +1,131 @@
+name: Rumpk CI
+
+on:
+  push:
+    branches: [unstable, main]
+  pull_request:
+    branches: [unstable, main]
+
+jobs:
+  build-riscv:
+    runs-on: ubuntu-latest
+    container:
+      image: nexus-os/build-env:latest
+      options: --privileged
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Build RISC-V kernel
+        run: |
+          echo "Building for RISC-V..."
+          zig build -Darch=riscv64 -Drelease
+      
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: rumpk-riscv64
+          path: zig-out/rumpk-riscv64.elf
+          retention-days: 7
+
+  build-aarch64:
+    runs-on: ubuntu-latest
+    container:
+      image: nexus-os/build-env:latest
+      options: --privileged
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Build ARM64 kernel
+        run: |
+          echo "Building for ARM64..."
+          zig build -Darch=aarch64 -Drelease
+      
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: rumpk-aarch64
+          path: zig-out/rumpk-aarch64.elf
+          retention-days: 7
+
+  security-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      
+      - name: Sensitive content scan
+        run: |
+          echo "🔍 Scanning for sensitive content..."
+          
+          # Check for forbidden directories
+          if git log --all --name-only | grep -qE '\.agent/|\.vscode/|\.claude/|\.kiro/'; then
+            echo "❌ CRITICAL: Forbidden directory found in git history"
+            exit 1
+          fi
+          
+          # Check for internal paths
+          if git log --all -p | grep -qE '/home/markus/zWork/|/home/markus/\.claude/'; then
+            echo "❌ CRITICAL: Internal path found in git history"
+            exit 1
+          fi
+          
+          echo "✅ No sensitive content detected"
+      
+      - name: License header check
+        run: |
+          echo "Checking license headers..."
+          # TODO: Implement license header checker
+          echo "ℹ️ License check pending"
+
+  test-qemu:
+    needs: [build-riscv]
+    runs-on: ubuntu-latest
+    container:
+      image: nexus-os/build-env:latest
+      options: --privileged
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: rumpk-riscv64
+          path: zig-out/
+      
+      - name: QEMU boot test
+        timeout-minutes: 5
+        run: |
+          echo "🚀 Booting RISC-V kernel in QEMU..."
+          timeout 10s qemu-system-riscv64 \
+            -machine virt \
+            -cpu rv64 \
+            -smp 2 \
+            -m 128M \
+            -kernel zig-out/rumpk-riscv64.elf \
+            -serial stdio \
+            -display none \
+            -bios none || echo "Boot test completed"
+
+  reproducibility-check:
+    runs-on: ubuntu-latest
+    container:
+      image: nexus-os/build-env:latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Build twice and compare
+        run: |
+          echo "🔧 Building first time..."
+          zig build -Drelease
+          cp zig-out/rumpk-riscv64.elf /tmp/build1.elf
+          
+          echo "🔧 Building second time..."
+          zig build -Drelease
+          
+          echo "📊 Comparing builds..."
+          if diff /tmp/build1.elf zig-out/rumpk-riscv64.elf; then
+            echo "✅ Reproducible build verified"
+          else
+            echo "⚠️ Build not reproducible (timestamps embedded)"
+          fi