diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 89832f6..528c22d 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,6 +2,7 @@ name: CI
 
 on:
   push:
+    branches: ["**"]
   pull_request:
     branches: ["master"]
 
@@ -27,74 +28,47 @@ jobs:
           npm --version
           npm ping --registry=https://registry.npmjs.org
 
-      # Checkout SANS action externe (pas de github.com)
       - name: Checkout (from event.json, no external actions)
         run: |
           set -euo pipefail
 
           EVENT_JSON="/var/run/act/workflow/event.json"
-          if [ ! -f "$EVENT_JSON" ]; then
-            echo "ERROR: missing $EVENT_JSON"
-            ls -la /var/run/act/workflow || true
-            exit 1
-          fi
+          test -f "$EVENT_JSON" || (echo "❌ Missing $EVENT_JSON" && exit 1)
 
-          # 1) Récupère l'URL du repo depuis event.json
-          REPO_URL="$(node -e '
-            const fs=require("fs");
-            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
-            let url = ev.repository?.clone_url || ev.repository?.html_url || "";
-            if (!url) process.exit(2);
-            if (!url.endsWith(".git")) url += ".git";
-            process.stdout.write(url);
-          ' "$EVENT_JSON")"
+          # Extract repo clone url + sha from event payload (push or pull_request)
+          eval "$(node - <<'NODE'
+          import fs from "node:fs";
+          const ev = JSON.parse(fs.readFileSync("/var/run/act/workflow/event.json","utf8"));
 
-          # 2) Récupère le SHA (push -> after, PR -> pull_request.head.sha)
-          SHA="$(node -e '
-            const fs=require("fs");
-            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
-            const sha =
-              ev.after ||
-              ev.pull_request?.head?.sha ||
-              ev.head_commit?.id ||
-              "";
-            process.stdout.write(sha);
-          ' "$EVENT_JSON")"
+          const repo =
+            ev?.repository?.clone_url ||
+            (ev?.repository?.html_url ? (ev.repository.html_url.replace(/\/$/,'') + ".git") : "");
 
-          if [ -z "$SHA" ]; then
-            echo "ERROR: cannot find SHA in event.json"
-            node -e 'const ev=require(process.argv[1]); console.log(Object.keys(ev));' "$EVENT_JSON" || true
-            exit 1
-          fi
+          const sha =
+            ev?.after ||
+            ev?.pull_request?.head?.sha ||
+            ev?.head_commit?.id ||
+            ev?.sha ||
+            "";
+
+          if (!repo) { console.error("No repository.clone_url/html_url in event.json"); process.exit(1); }
+          if (!sha)  { console.error("No sha/after/pull_request.head.sha in event.json"); process.exit(1); }
+
+          // print shell-safe assignments
+          console.log(`REPO_URL=${JSON.stringify(repo)}`);
+          console.log(`SHA=${JSON.stringify(sha)}`);
+NODE
+          )"
 
           echo "Repo URL: $REPO_URL"
-          echo "SHA: $SHA"
+          echo "SHA:      $SHA"
 
-          # 3) Ajoute token si disponible (NE PAS afficher le token)
-          AUTH_URL="$REPO_URL"
-          if [ -n "${GITHUB_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
-            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITHUB_TOKEN}@}"
-          elif [ -n "${GITEA_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
-            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITEA_TOKEN}@}"
-          fi
-
-          # 4) Clone minimal + checkout exact du SHA
-          rm -rf .git || true
-          git init .
-
-          # Optionnel si ton Gitea a un TLS “non standard” (certificat) :
-          # git config --global http.sslVerify false
-
-          git remote add origin "$AUTH_URL"
-          git fetch --depth=1 origin "$SHA"
+          rm -rf .git
+          git init
+          git remote add origin "$REPO_URL"
+          git fetch --depth 1 origin "$SHA"
           git checkout -q FETCH_HEAD
-
           git log -1 --oneline
-      
-      - name: Anchor aliases schema
-        run: node scripts/check-anchor-aliases.mjs
-      - name: Verify anchor aliases injected in dist
-        run: node scripts/verify-anchor-aliases-in-dist.mjs
 
       - name: NPM harden
         run: |
@@ -106,18 +80,31 @@ jobs:
           npm config get registry
 
       - name: Install deps
-        run: npm ci
+        run: |
+          set -euo pipefail
+          npm ci
 
       - name: Inline scripts syntax check
-        run: node scripts/check-inline-js.mjs
+        run: |
+          set -euo pipefail
+          node scripts/check-inline-js.mjs
 
-      - name: Build
-        run: npm run build
-
-      - name: Verify anchor aliases injected
-        run: node scripts/verify-anchor-aliases-in-dist.mjs
+      - name: Build (includes postbuild injection + pagefind)
+        run: |
+          set -euo pipefail
+          npm run build
 
       - name: Anchors contract
-        run: npm run test:anchors
+        run: |
+          set -euo pipefail
+          npm run test:anchors
 
+      - name: Anchor aliases schema
+        run: |
+          set -euo pipefail
+          node scripts/check-anchor-aliases.mjs
 
+      - name: Verify anchor aliases injected in dist
+        run: |
+          set -euo pipefail
+          node scripts/verify-anchor-aliases-in-dist.mjs