diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
new file mode 100644
index 0000000..86bbd5e
--- /dev/null
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,97 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  backend:
+    name: backend (lint + typecheck + unit tests)
+    runs-on: linux
+    container:
+      image: python:3.12-slim-bookworm
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_DB: mimic_test
+          POSTGRES_USER: mimic_test
+          POSTGRES_PASSWORD: mimic_test_password
+        # Healthcheck so Gitea Actions waits for Postgres readiness.
+        options: >-
+          --health-cmd "pg_isready -U mimic_test -d mimic_test"
+          --health-interval 5s
+          --health-timeout 3s
+          --health-retries 10
+    env:
+      MIMIC_ENV: test
+      MIMIC_DATABASE_URL: postgresql+psycopg://mimic_test:mimic_test_password@postgres:5432/mimic_test
+      MIMIC_DATABASE_AUDIT_URL: postgresql+psycopg://mimic_test:mimic_test_password@postgres:5432/mimic_test
+      MIMIC_SECRET_KEY: ci-not-secret
+      MIMIC_FERNET_KEY: ${{ secrets.FERNET_KEY_TEST }}
+      MIMIC_BLOB_ROOT: /tmp/mimic-blobs
+      MIMIC_EVIDENCE_ROOT: /tmp/mimic-evidence
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: System deps (psycopg + WeasyPrint runtime)
+        run: |
+          apt-get update -qq
+          apt-get install -y --no-install-recommends \
+            build-essential libpq-dev \
+            libpango-1.0-0 libpangoft2-1.0-0 libcairo2 libffi-dev
+          rm -rf /var/lib/apt/lists/*
+
+      - name: Install backend
+        working-directory: backend
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Ruff lint
+        working-directory: backend
+        run: ruff check src tests
+
+      - name: Ruff format check
+        working-directory: backend
+        run: ruff format --check src tests
+
+      - name: Mypy strict
+        working-directory: backend
+        run: mypy --strict src
+
+      - name: Pytest unit
+        working-directory: backend
+        run: pytest tests/unit -q
+
+  frontend:
+    name: frontend (lint + typecheck + build + unit tests)
+    runs-on: linux
+    container:
+      image: node:22-alpine
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install
+        working-directory: frontend
+        run: npm ci
+
+      - name: ESLint
+        working-directory: frontend
+        run: npm run lint
+
+      - name: TypeScript typecheck
+        working-directory: frontend
+        run: npm run typecheck
+
+      - name: Vitest
+        working-directory: frontend
+        run: npm test
+
+      - name: Vite build
+        working-directory: frontend
+        run: npm run build
diff --git a/.gitea/workflows/smoke.yml b/.gitea/workflows/smoke.yml
new file mode 100644
index 0000000..4d91c86
--- /dev/null
+++ b/.gitea/workflows/smoke.yml
@@ -0,0 +1,22 @@
+name: smoke
+# Trivial workflow to validate the Gitea Actions runner pickup.
+# Removed in a follow-up commit once green on chore/podman-and-ci.
+
+on:
+  push:
+    branches:
+      - chore/podman-and-ci
+  workflow_dispatch:
+
+jobs:
+  hello:
+    runs-on: linux
+    steps:
+      - name: kernel + identity
+        run: |
+          echo "host: $(uname -a)"
+          id
+          cat /etc/os-release | head -3
+      - name: container runtime visible from job
+        run: |
+          which podman || which docker || echo "(no runtime visible — expected for nested rootless DooD)"