diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index dc89f8e..79bd862 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,25 +2,77 @@ name: CI
 
 on:
   push:
-    branches: ["**"]
   pull_request:
     branches: ["master"]
 
+env:
+  NODE_OPTIONS: --dns-result-order=ipv4first
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
   build-and-anchors:
     runs-on: ubuntu-latest
     container:
-      image: node:20-bookworm-slim
+      image: mcr.microsoft.com/devcontainers/javascript-node:20-bookworm
 
     steps:
-      - name: Install git (needed by checkout)
+      - name: Tools sanity
         run: |
-          apt-get update
-          apt-get install -y --no-install-recommends git ca-certificates
+          set -euo pipefail
           git --version
+          node --version
+          npm --version
+          npm ping --registry=https://registry.npmjs.org
 
-      - name: Checkout
-        uses: actions/checkout@v4
+      # Checkout SANS action externe (pas de github.com)
+      - name: Checkout (from Gitea, no external actions)
+        run: |
+          set -euo pipefail
+
+          echo "GITEA_SERVER_URL=${GITEA_SERVER_URL:-}"
+          echo "GITEA_REPOSITORY=${GITEA_REPOSITORY:-}"
+          echo "GITEA_SHA=${GITEA_SHA:-}"
+          echo "GITEA_REF=${GITEA_REF:-}"
+
+          # On nettoie l'espace de travail (au cas où)
+          rm -rf .git || true
+
+          # URL du repo
+          REPO_URL="${GITEA_SERVER_URL}/${GITEA_REPOSITORY}.git"
+
+          # Auth via token si présent (Gitea fournit généralement GITEA_TOKEN)
+          if [ -n "${GITEA_TOKEN:-}" ]; then
+            AUTH_URL="$(echo "$REPO_URL" | sed "s#^https://#https://oauth2:${GITEA_TOKEN}@#")"
+          else
+            AUTH_URL="$REPO_URL"
+          fi
+
+          git init .
+          git remote add origin "$AUTH_URL"
+
+          # On récupère exactement le commit du run
+          if [ -n "${GITEA_SHA:-}" ]; then
+            git fetch --depth=1 origin "$GITEA_SHA"
+            git checkout -q FETCH_HEAD
+          else
+            # fallback si SHA absent
+            git fetch --depth=1 origin "${GITEA_REF:-master}"
+            git checkout -q FETCH_HEAD
+          fi
+
+          git log -1 --oneline
+
+      - name: NPM harden
+        run: |
+          set -euo pipefail
+          npm config set fetch-retries 5
+          npm config set fetch-retry-mintimeout 20000
+          npm config set fetch-retry-maxtimeout 120000
+          npm config set registry https://registry.npmjs.org
+          npm config get registry
 
       - name: Install deps
         run: npm ci