ci: port workflows from .github/ to .forgejo/ (Forgejo Actions)

GitHub torrentclaw org is shadow-banned; CI is hosted at git.torrentclaw.com
now. Move workflows into the runner's natively-watched .forgejo/workflows/
tree and adapt steps to run in the available 'docker'-labeled Forgejo runner
without GitHub-only tooling (gh CLI, third-party marketplace actions).

- Use container: image to ship the toolchain (no actions/setup-* needed).
- Drop GitHub-only marketplace actions in favour of upstream installers
  invoked over curl/apt.
- Where a workflow created a GitHub Release (release.yml), substitute the
  step with a curl call against the Forgejo Releases API
  (POST /repos/<owner>/<repo>/releases).

.forgejo/workflows/ci.yml

@@ -0,0 +1,55 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint-commits:
+    name: Lint commits
+    runs-on: docker
+    container:
+      image: docker.io/library/node:22
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Validate conventional commits
+        run: |
+          npx commitlint \
+            --from ${{ github.event.pull_request.base.sha }} \
+            --to ${{ github.event.pull_request.head.sha }} \
+            --verbose
+
+  build-and-test:
+    name: Build & test
+    runs-on: docker
+    container:
+      image: docker.io/library/node:22
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Check formatting
+        run: npx prettier --check .
+
+      - name: Typecheck
+        run: npx tsc --noEmit
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
+        run: npm test

.forgejo/workflows/release.yml

@@ -0,0 +1,68 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: docker
+    container:
+      image: docker.io/library/node:22
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
+        run: npm test
+
+      - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          # Set authToken explicitly — actions/setup-node was the only consumer
+          # of registry-url + NODE_AUTH_TOKEN, and we dropped it for Forgejo
+          # compat. The literal npmjs registry stays the same.
+          cat > ~/.npmrc <<EOF
+          registry=https://registry.npmjs.org/
+          //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
+          EOF
+          npm publish
+          rm -f ~/.npmrc
+
+      - name: Create Forgejo release with auto-generated notes
+        env:
+          FORGEJO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FORGEJO_API: http://forgejo:3000/api/v1
+          REPO: deivid/torrentclaw-mcp
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          apt-get update && apt-get install -y --no-install-recommends jq curl
+
+          # Compose release body from commits since the previous tag.
+          prev=$(git describe --tags --abbrev=0 "${TAG}^" 2>/dev/null || echo "")
+          if [ -n "$prev" ]; then
+            notes=$(git log --pretty=format:'- %s' "${prev}..${TAG}")
+          else
+            notes=$(git log --pretty=format:'- %s' "${TAG}")
+          fi
+          body=$(jq -n --arg t "$TAG" --arg n "$notes" \
+            '{tag_name:$t, name:$t, body:$n, draft:false, prerelease:false}')
+          curl -sSf -X POST "$FORGEJO_API/repos/$REPO/releases" \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "$body" >/dev/null || \
+            echo "Release may already exist for $TAG"