ci: port workflows from .github/ to .forgejo/ (Forgejo Actions)

GitHub torrentclaw org is shadow-banned; CI is hosted at git.torrentclaw.com
now. Move workflows into the runner's natively-watched .forgejo/workflows/
tree and adapt steps to run in the available 'docker'-labeled Forgejo runner
without GitHub-only tooling (gh CLI, third-party marketplace actions).

- Use container: image to ship the toolchain (no actions/setup-* needed).
- Drop GitHub-only marketplace actions in favour of upstream installers
  invoked over curl/apt.
- Where a workflow created a GitHub Release (release.yml), substitute the
  step with a curl call against the Forgejo Releases API
  (POST /repos/<owner>/<repo>/releases).

.forgejo/workflows/ci.yml

@@ -0,0 +1,86 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint-commits:
+    name: Lint commits
+    runs-on: docker
+    container:
+      image: docker.io/library/ubuntu:24.04
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Install git + grep
+        run: apt-get update && apt-get install -y --no-install-recommends git ca-certificates
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Validate conventional commits
+        run: |
+          base="${{ github.event.pull_request.base.sha }}"
+          head="${{ github.event.pull_request.head.sha }}"
+          pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?(!)?: .{1,}$'
+
+          failed=0
+          while IFS= read -r msg; do
+            first_line=$(echo "$msg" | head -1)
+            if ! echo "$first_line" | grep -qE "$pattern"; then
+              echo "FAIL: $first_line"
+              failed=1
+            fi
+          done < <(git log --format="%s" "$base".."$head")
+
+          if [ "$failed" -eq 1 ]; then
+            echo ""
+            echo "Some commits do not follow Conventional Commits format."
+            echo "Expected: <type>[scope][!]: <description>"
+            echo "See: https://www.conventionalcommits.org/"
+            exit 1
+          fi
+          echo "All commits follow Conventional Commits format."
+
+  lint-scripts:
+    name: Lint shell scripts
+    runs-on: docker
+    container:
+      image: docker.io/library/ubuntu:24.04
+    steps:
+      - name: Install shellcheck
+        run: apt-get update && apt-get install -y --no-install-recommends shellcheck git ca-certificates
+
+      - uses: actions/checkout@v4
+
+      - name: Run ShellCheck
+        run: shellcheck scripts/*.sh
+
+  security-check:
+    name: Security patterns check
+    runs-on: docker
+    container:
+      image: docker.io/library/ubuntu:24.04
+    steps:
+      - name: Install grep + git
+        run: apt-get update && apt-get install -y --no-install-recommends git grep ca-certificates
+
+      - uses: actions/checkout@v4
+
+      - name: Check for unsafe string interpolation in curl payloads
+        run: |
+          # Flag inline JSON in double quotes (allows shell interpolation).
+          # Safe patterns: curl -d '{}' (single quotes) or curl -d "$var" (pre-built payload).
+          if grep -rPn 'curl.*-d\s*"[{]' scripts/*.sh; then
+            echo ""
+            echo "ERROR: Found curl -d with inline JSON in double quotes."
+            echo "Use jq --arg to build JSON safely and pass via variable."
+            exit 1
+          fi
+          echo "No unsafe curl patterns found."