From 225d08908b6f29d2cd575a376eab48923be2f70d Mon Sep 17 00:00:00 2001
From: Markus Maiwald <markus@sovereign-society.org>
Date: Sun, 15 Feb 2026 20:04:42 +0100
Subject: [PATCH] ci: add Forgejo Actions workflow

---
 .forgejo/workflows/ci.yml | 79 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 .forgejo/workflows/ci.yml

diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
new file mode 100644
index 0000000..f56e586
--- /dev/null
+++ b/.forgejo/workflows/ci.yml
@@ -0,0 +1,79 @@
+# Rumpk Sovereign Kernel CI
+# Two-stage build: Nim->C->.o (build_nim.sh) then Zig links everything (zig build)
+name: Rumpk CI
+
+on:
+  push:
+    branches: [unstable, main, stable, testing]
+  pull_request:
+    branches: [unstable, main]
+
+jobs:
+  build-riscv64:
+    name: Build RISC-V 64
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Verify toolchain
+        run: |
+          echo "=== Toolchain ==="
+          zig version
+          nim --version | head -1
+          qemu-system-riscv64 --version | head -1
+
+      - name: Build LwIP
+        run: |
+          chmod +x build_lwip.sh
+          bash build_lwip.sh
+
+      - name: Compile Nim kernel to C objects
+        run: |
+          chmod +x build_nim.sh
+          bash build_nim.sh riscv64
+
+      - name: Build userland + initrd + final kernel
+        run: |
+          chmod +x build_full.sh
+          bash build_full.sh riscv64
+
+      - name: Verify kernel ELF
+        run: |
+          ls -lh zig-out/bin/rumpk.elf
+          file zig-out/bin/rumpk.elf
+
+      - name: QEMU boot test
+        run: |
+          timeout 25 qemu-system-riscv64 \
+            -M virt -cpu max -m 512M -nographic \
+            -kernel zig-out/bin/rumpk.elf \
+            2>&1 | tee /tmp/boot.log || true
+          echo "=== Boot log ==="
+          cat /tmp/boot.log | tail -30
+          echo "=== Boot markers ==="
+          grep -c "Nim handoff\|init complete\|UART\|sched" /tmp/boot.log || echo "0 markers found"
+
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for sensitive content
+        run: |
+          FAIL=0
+          for dir in .agent .vscode .kiro competitors; do
+            if [ -d "$dir" ]; then
+              echo "FAIL: Sensitive directory '$dir' found"
+              FAIL=1
+            fi
+          done
+          # Exclude CI workflow files from path scan (they contain the pattern as a check)
+          MATCHES=$(git grep -l '/home/markus' -- ':!.forgejo/' 2>/dev/null || true)
+          if [ -n "$MATCHES" ]; then
+            echo "FAIL: Internal paths found in:"
+            echo "$MATCHES"
+            FAIL=1
+          fi
+          if [ $FAIL -eq 1 ]; then exit 1; fi
+          echo "Security scan PASSED"