diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 1ea6580..53da863 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,3 +1,25 @@
+# -----------------------------------------------------------------------------
+# cameleer-website — Gitea Actions build + deploy
+#
+# Runner: self-hosted arm64 (Gitea Runner / act_runner).
+# Deploy target: Hetzner Webhosting L (amd64).
+#
+# Architecture mismatch does NOT matter: Astro's output is static HTML/CSS/JS
+# plus hashed assets. Nothing arch-specific ships in the bundle. Everything in
+# this workflow — Node 20, rsync, ssh, curl, chromium — has native arm64.
+#
+# The only non-trivial arm64 gotcha is Lighthouse CI: Google Chrome has no
+# stable Linux/arm64 build, so we install the distro-packaged Chromium and
+# hand its path to LHCI via CHROME_PATH. On amd64 runners this still works;
+# the step is idempotent if Chromium is already present.
+#
+# `runs-on` labels:
+#   This file uses `ubuntu-latest`, which the default act_runner config maps
+#   to `catthehacker/ubuntu:act-latest` (multi-arch, has apt + sudo). If your
+#   runner is registered with different labels (e.g. `[self-hosted, arm64]`),
+#   update `runs-on` below accordingly.
+# -----------------------------------------------------------------------------
+
 name: build-test-deploy
 
 on:
@@ -8,7 +30,8 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
     env:
       PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }}
       PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }}
@@ -22,6 +45,41 @@ jobs:
           node-version: '20'
           cache: 'npm'
 
+      # Lighthouse CI needs a Chrome/Chromium binary at runtime. Google Chrome
+      # has no Linux/arm64 build, so install distro Chromium and export its
+      # path. Handles both `chromium` (Debian) and `chromium-browser` (older
+      # Ubuntu) package names, and works whether sudo is present or absent
+      # (e.g. runner running as root).
+      - name: Install Chromium for Lighthouse CI
+        shell: bash
+        run: |
+          set -e
+          if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi
+
+          resolve_chromium() {
+            command -v chromium 2>/dev/null \
+              || command -v chromium-browser 2>/dev/null \
+              || true
+          }
+
+          CHROME_BIN="$(resolve_chromium)"
+          if [ -z "$CHROME_BIN" ]; then
+            $SUDO apt-get update -qq
+            $SUDO apt-get install -y --no-install-recommends \
+              chromium chromium-driver \
+              || $SUDO apt-get install -y --no-install-recommends \
+                   chromium-browser chromium-chromedriver
+            CHROME_BIN="$(resolve_chromium)"
+          fi
+
+          if [ -z "$CHROME_BIN" ]; then
+            echo "Failed to install a Chromium binary — Lighthouse CI cannot run."
+            exit 1
+          fi
+
+          echo "CHROME_PATH=$CHROME_BIN" >> "$GITHUB_ENV"
+          "$CHROME_BIN" --version || true
+
       - name: Install dependencies
         run: npm ci
 
@@ -46,6 +104,8 @@ jobs:
         run: npm run lint:links
 
       - name: Lighthouse CI
+        env:
+          CHROME_PATH: ${{ env.CHROME_PATH }}
         run: npx lhci autorun
 
       - name: Upload dist artifact
@@ -59,7 +119,8 @@ jobs:
   deploy:
     if: github.ref == 'refs/heads/main'
     needs: build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
     concurrency:
       group: deploy-production
       cancel-in-progress: false
@@ -76,11 +137,20 @@ jobs:
           SFTP_KEY: ${{ secrets.SFTP_KEY }}
           SFTP_KNOWN_HOSTS: ${{ secrets.SFTP_KNOWN_HOSTS }}
         run: |
+          set -e
+          : "${SFTP_KEY:?SFTP_KEY secret must be set}"
+          : "${SFTP_KNOWN_HOSTS:?SFTP_KNOWN_HOSTS secret must be set}"
           mkdir -p ~/.ssh
-          echo "$SFTP_KEY" > ~/.ssh/id_ed25519
+          printf '%s\n' "$SFTP_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          echo "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts
+          printf '%s\n' "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts
           chmod 644 ~/.ssh/known_hosts
+          # Ensure rsync + openssh are present even on a minimal runner image.
+          if ! command -v rsync >/dev/null 2>&1 || ! command -v ssh >/dev/null 2>&1; then
+            if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi
+            $SUDO apt-get update -qq
+            $SUDO apt-get install -y --no-install-recommends rsync openssh-client
+          fi
 
       - name: Deploy via rsync
         env:
diff --git a/lighthouserc.cjs b/lighthouserc.cjs
index a9606c0..4099023 100644
--- a/lighthouserc.cjs
+++ b/lighthouserc.cjs
@@ -11,6 +11,10 @@ module.exports = {
       numberOfRuns: 3,
       settings: {
         preset: 'desktop',
+        // Flags required when Chromium runs inside a CI container or as root
+        // (Gitea act_runner on arm64 uses containers). --headless=new is the
+        // modern Chromium headless mode. CHROME_PATH is set by the workflow.
+        chromeFlags: '--no-sandbox --headless=new --disable-gpu --disable-dev-shm-usage',
       },
     },
     assert: {