diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 0be9cc8..c0fbc70 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,61 +2,57 @@ name: CI
 
 on:
   push:
-    branches: ["**"]
   pull_request:
-    branches: ["master"]
 
 jobs:
   build-and-anchors:
     runs-on: ubuntu-latest
+
+    # On garde ton image devcontainers (elle a généralement git, etc.)
     container:
-      # Image avec node + git déjà présents -> pas d'APT
       image: mcr.microsoft.com/devcontainers/javascript-node:20-bookworm
-      # On force root pour pouvoir écrire /etc/resolv.conf (sinon user "node")
-      options: >-
-        --user root
-        --add-host gitea.archicratie.trans-hands.synology.me:192.168.1.20
 
     steps:
-      - name: Force DNS inside job container (DS220+ / act_runner)
-        run: |
-          set -eu
-          echo "== resolv.conf (before) =="; cat /etc/resolv.conf || true
-
-          cat > /etc/resolv.conf <<'EOF'
-          nameserver 192.168.1.1
-          nameserver 109.0.66.10
-          options timeout:2 attempts:2
-          EOF
-
-          echo "== resolv.conf (after) =="; cat /etc/resolv.conf
-          node -e 'require("dns").resolve4("deb.debian.org",(e,a)=>console.log("dns",e||a))'
-
       - name: Checkout (from Gitea, no external actions)
         env:
-          SERVER: ${{ github.server_url }}
-          REPO: ${{ github.repository }}
+          SERVER_URL: ${{ github.server_url }}
+          REPOSITORY: ${{ github.repository }}
           SHA: ${{ github.sha }}
           TOKEN: ${{ secrets.CI_TOKEN }}
         run: |
-          set -euo pipefail
+          set -eu
+          echo "Server: $SERVER_URL"
+          echo "Repo:   $REPOSITORY"
+          echo "SHA:    $SHA"
+
+          rm -rf .git || true
+
           if [ -n "${TOKEN:-}" ]; then
-            AUTH="$(printf "oauth2:%s" "$TOKEN" | base64 | tr -d '\n')"
-            git -c http.extraHeader="AUTHORIZATION: basic $AUTH" clone "$SERVER/$REPO.git" .
+            AUTH="$(printf 'oauth2:%s' "$TOKEN" | base64 | tr -d '\n')"
+            git -c http.extraHeader="AUTHORIZATION: basic $AUTH" clone "$SERVER_URL/$REPOSITORY.git" .
           else
-            echo "ℹ️ CI_TOKEN absent → clone sans auth (repo public ou accès runner déjà OK)."
-            git clone "$SERVER/$REPO.git" .
+            git clone "$SERVER_URL/$REPOSITORY.git" .
           fi
+
           git checkout "$SHA"
+          git status --porcelain=v1
 
       - name: Install deps
-        run: npm ci
+        run: |
+          set -eu
+          npm ci
 
       - name: Inline scripts syntax check
-        run: node scripts/check-inline-js.mjs
+        run: |
+          set -eu
+          node scripts/check-inline-js.mjs
 
       - name: Build
-        run: npm run build
+        run: |
+          set -eu
+          npm run build
 
       - name: Anchors contract
-        run: npm run test:anchors
+        run: |
+          set -eu
+          node scripts/check-anchors.mjs