diff --git a/.gitea/workflows/actions.yaml b/.gitea/workflows/actions.yaml
new file mode 100644
index 0000000..9ff27e4
--- /dev/null
+++ b/.gitea/workflows/actions.yaml
@@ -0,0 +1,154 @@
+name: build-image
+on: [push]
+
+jobs:
+  semrel_dryrun:
+    name: Semantic Release (Dry-run)
+    runs-on: dind-rootless
+    outputs:
+      version: ${{ steps.sem_rel.outputs.version }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Set up Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - name: Install dependencies
+        run: |
+          npm install \
+            semantic-release \
+            @semantic-release/commit-analyzer \
+            @semantic-release/exec
+      - name: Semantic Release (dry-run)
+        id: sem_rel
+        run: |
+          npx semantic-release \
+            --package @semantic-release/exec \
+            --package semantic-release \
+            --branches ${{ gitea.refname }} \
+            --tag-format 'v${version}' \
+            --dry-run \
+            --plugins @semantic-release/commit-analyzer,@semantic-release/exec \
+            --analyzeCommits @semantic-release/commit-analyzer \
+            --verifyRelease @semantic-release/exec \
+            --verifyReleaseCmd 'echo "version=${nextRelease.version}" >> $GITHUB_OUTPUT'
+        env:
+          GIT_CREDENTIALS: ${{ secrets.GIT_USERNAME }}:${{ secrets.GIT_APIKEY }}
+      - name: Assert semantic release output
+        run: |
+          [[ -z "${{ steps.sem_rel.outputs.version }}" ]] && {
+            echo 'No release tag - exiting'; exit 1
+          } || {
+            echo 'Release tag set correctly: ${{ steps.sem_rel.outputs.version }}'; exit 0
+          }
+
+  build_container:
+    name: Container image
+    runs-on: dind
+    needs: semrel_dryrun
+    container: ghcr.io/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Set up qemu
+        # Will not work out of the box; instead using dind
+        # uses: docker/setup-qemu-action@v3
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y qemu-user-static
+      - name: Create builder context
+        id: buildx-context
+        run: |
+          docker context create builders
+        env:
+          DOCKER_HOST: tcp://docker:2376/
+          DOCKER_TLS_CERTDIR: /certs
+          DOCKER_TLS_VERIFY: 1
+          DOCKER_CERT_PATH: "/certs/client"
+      - name: Set up buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          # buildkitd-flags: --debug
+          endpoint: builders
+        env:
+          DOCKER_HOST: "tcp://docker:2376/"
+          DOCKER_TLS_CERTDIR: "/certs"
+          DOCKER_TLS_VERIFY: 1
+          DOCKER_CERT_PATH: "/certs/client"
+      - name: Login to target repository
+        uses: docker/login-action@v3
+        with:
+          registry: code.spamasaurus.com
+          username: ${{ secrets.GIT_USERNAME }}
+          password: ${{ secrets.GIT_APIKEY }}
+      - name: Build & push container image
+        uses: docker/build-push-action@v5
+        with:
+          build-args: |
+            REPO_USERNAME=${{ secrets.REPO_USERNAME }}
+            REPO_PASSWORD=${{ secrets.REPO_PASSWORD }}
+          context: .
+          tags: code.spamasaurus.com/djpbessems/json-server:${{ needs.semrel_dryrun.outputs.version }}
+          provenance: false
+          push: true
+        env:
+          DOCKER_HOST: "tcp://docker:2376/"
+          DOCKER_TLS_CERTDIR: "/certs"
+          DOCKER_TLS_VERIFY: 1
+          DOCKER_CERT_PATH: "/certs/client"
+
+  build_chart:
+    name: Helm chart
+    runs-on: dind
+    needs: semrel_dryrun
+    container: ghcr.io/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: Prepare build environment
+        run: |
+          helm plugin install https://github.com/chartmuseum/helm-push
+
+          sed -i 's/{{ chart_version }}/${{ needs.semrel_dryrun.outputs.version }}/g' charts/json-server/Chart.yaml
+          sed -i 's/{{ image_tag }}/${{ needs.semrel_dryrun.outputs.version }}/g' charts/json-server/values.yaml
+      - name: Build & push helm chart
+        run: |
+          helm package ./charts/json-server
+          helm repo add \
+            --username ${{ secrets.GIT_USERNAME }} \
+            --password ${{ secrets.GIT_APIKEY }} \
+            spamasaurus \
+            https://code.spamasaurus.com/api/packages/$GIT_USERNAME/helm
+          helm cm-push \
+            json-server-*.tgz \
+            spamasaurus
+
+  semrel:
+    name: Semantic Release
+    runs-on: dind-rootless
+    needs: [build_container,build_chart]
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Set up Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - name: Install dependencies
+        run: |
+          npm install \
+            semantic-release \
+            @semantic-release/changelog \
+            @semantic-release/commit-analyzer \
+            @semantic-release/git \
+            @semantic-release/release-notes-generator
+      - name: Semantic Release
+        run: |
+          npx semantic-release \
+            --branches ${{ gitea.refname }} \
+            --tag-format 'v${version}' \
+            --plugins @semantic-release/commit-analyzer,@semantic-release/release-notes-generator,@semantic-release/changelog,@semantic-release/git
+        env:
+          GIT_CREDENTIALS: ${{ secrets.GIT_USERNAME }}:${{ secrets.GIT_APIKEY }}