diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 79bd862..a2cf6ad 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -28,40 +28,66 @@ jobs:
           npm ping --registry=https://registry.npmjs.org
 
       # Checkout SANS action externe (pas de github.com)
-      - name: Checkout (from Gitea, no external actions)
+      - name: Checkout (from event.json, no external actions)
         run: |
           set -euo pipefail
 
-          echo "GITEA_SERVER_URL=${GITEA_SERVER_URL:-}"
-          echo "GITEA_REPOSITORY=${GITEA_REPOSITORY:-}"
-          echo "GITEA_SHA=${GITEA_SHA:-}"
-          echo "GITEA_REF=${GITEA_REF:-}"
+          EVENT_JSON="/var/run/act/workflow/event.json"
+          if [ ! -f "$EVENT_JSON" ]; then
+            echo "ERROR: missing $EVENT_JSON"
+            ls -la /var/run/act/workflow || true
+            exit 1
+          fi
 
-          # On nettoie l'espace de travail (au cas où)
+          # 1) Récupère l'URL du repo depuis event.json
+          REPO_URL="$(node -e '
+            const fs=require("fs");
+            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
+            let url = ev.repository?.clone_url || ev.repository?.html_url || "";
+            if (!url) process.exit(2);
+            if (!url.endsWith(".git")) url += ".git";
+            process.stdout.write(url);
+          ' "$EVENT_JSON")"
+
+          # 2) Récupère le SHA (push -> after, PR -> pull_request.head.sha)
+          SHA="$(node -e '
+            const fs=require("fs");
+            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
+            const sha =
+              ev.after ||
+              ev.pull_request?.head?.sha ||
+              ev.head_commit?.id ||
+              "";
+            process.stdout.write(sha);
+          ' "$EVENT_JSON")"
+
+          if [ -z "$SHA" ]; then
+            echo "ERROR: cannot find SHA in event.json"
+            node -e 'const ev=require(process.argv[1]); console.log(Object.keys(ev));' "$EVENT_JSON" || true
+            exit 1
+          fi
+
+          echo "Repo URL: $REPO_URL"
+          echo "SHA: $SHA"
+
+          # 3) Ajoute token si disponible (NE PAS afficher le token)
+          AUTH_URL="$REPO_URL"
+          if [ -n "${GITHUB_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
+            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITHUB_TOKEN}@}"
+          elif [ -n "${GITEA_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
+            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITEA_TOKEN}@}"
+          fi
+
+          # 4) Clone minimal + checkout exact du SHA
           rm -rf .git || true
-
-          # URL du repo
-          REPO_URL="${GITEA_SERVER_URL}/${GITEA_REPOSITORY}.git"
-
-          # Auth via token si présent (Gitea fournit généralement GITEA_TOKEN)
-          if [ -n "${GITEA_TOKEN:-}" ]; then
-            AUTH_URL="$(echo "$REPO_URL" | sed "s#^https://#https://oauth2:${GITEA_TOKEN}@#")"
-          else
-            AUTH_URL="$REPO_URL"
-          fi
-
           git init .
-          git remote add origin "$AUTH_URL"
 
-          # On récupère exactement le commit du run
-          if [ -n "${GITEA_SHA:-}" ]; then
-            git fetch --depth=1 origin "$GITEA_SHA"
-            git checkout -q FETCH_HEAD
-          else
-            # fallback si SHA absent
-            git fetch --depth=1 origin "${GITEA_REF:-master}"
-            git checkout -q FETCH_HEAD
-          fi
+          # Optionnel si ton Gitea a un TLS “non standard” (certificat) :
+          # git config --global http.sslVerify false
+
+          git remote add origin "$AUTH_URL"
+          git fetch --depth=1 origin "$SHA"
+          git checkout -q FETCH_HEAD
 
           git log -1 --oneline