ci: gitea actions — test, security, release

Three workflows modeled on kanrisha + Vortex:

* test.yml — on push/PR to main: build + vet + unit tests (-race), a
  gated integration job that runs go test -tags=integration ./test/...
  (testcontainers spins up Postgres 17 itself; runner must expose the
  docker socket), and a lint job (go mod tidy + gofmt check).
* security.yml — govulncheck on push to main plus a weekly Monday
  06:00 UTC cron so fresh CVEs surface without a code change.
* release.yml — on v* tag push only: goreleaser v2 with
  GORELEASER_FORCE_TOKEN=gitea + GITEA_SERVER_URL, plus a docker
  login step so the built image can push to Gitea's registry.

All three pin Go 1.26 (go.mod says 1.26.2). Release job requires the
TOKEN_GITEA repo secret (scope: packages + code:write).

.gitea/workflows/release.yml

@@ -0,0 +1,47 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  GITEA_TOKEN: ${{ secrets.TOKEN_GITEA }}
+
+jobs:
+  goreleaser:
+    name: Build & Publish Release
+    runs-on: ubuntu-latest
+    # Only run when a v* tag is pushed — goreleaser handles the tag →
+    # release mapping, and we never want main-branch pushes to tag.
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # goreleaser needs full history + tags for changelog + version
+          # derivation.
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.26'
+
+      - name: Log in to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.anomalous.dev
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.TOKEN_GITEA }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITEA_TOKEN: ${{ secrets.TOKEN_GITEA }}
+          GITEA_SERVER_URL: https://git.anomalous.dev
+          GORELEASER_FORCE_TOKEN: gitea

.gitea/workflows/security.yml

@@ -0,0 +1,25 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    # Monday 06:00 UTC — weekly vuln sweep so new CVEs surface without a push.
+    - cron: '0 6 * * 1'
+
+jobs:
+  govulncheck:
+    name: Vulnerability Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.26'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...

.gitea/workflows/test.yml

@@ -0,0 +1,63 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    name: Build & Unit Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.26'
+
+      - name: Build
+        run: go build ./...
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Unit Tests
+        run: go test -short -race -count=1 ./...
+
+  integration:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: build
+    # testcontainers brings up the Postgres container itself; the runner
+    # must therefore expose the Docker socket. Gitea's act_runner does
+    # this by default when the host mounts /var/run/docker.sock.
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.26'
+
+      - name: Integration Tests
+        run: go test -tags=integration -count=1 -timeout=10m ./test/...
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.26'
+
+      - name: Check go.mod tidy
+        run: |
+          go mod tidy
+          git diff --exit-code go.mod go.sum
+
+      - name: Check formatting
+        run: |
+          test -z "$(gofmt -l $(find . -name '*.go' -not -path './vendor/*'))"