diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index b61e376..b254ea1 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -20,7 +20,7 @@ on:
 jobs:
   build:
     name: Build Firmware
-    needs: [cppcheck, flawfinder, gitleaks, shellcheck]
+    needs: [cppcheck, flawfinder, gitleaks]
     runs-on: anvil
     container:
       image: docker.io/espressif/idf:v5.3
@@ -89,19 +89,25 @@ jobs:
     runs-on: anvil
     needs: build
     if: github.event_name == 'workflow_dispatch' && github.event.inputs.deploy == 'true' || startsWith(github.ref, 'refs/tags/v')
-    # Run directly on host (no container) to access local network
+    container:
+      image: docker.io/espressif/idf:v5.3
+      options: --network=host
     steps:
+      - name: Install tools
+        run: apt-get update && apt-get install -y --no-install-recommends git curl jq netcat-openbsd
+
       - name: Checkout
         run: |
           git clone --depth=1 --branch=${{ github.ref_name }} \
-            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git workspace
+            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
 
       - name: Build firmware
         run: |
-          cd workspace && . $HOME/esp/esp-idf/export.sh && cd get-started/csi_recv_router && idf.py build
+          . /opt/esp/idf/export.sh
+          cd get-started/csi_recv_router
+          idf.py build
 
       - name: Validate version tag
-        working-directory: workspace
         run: |
           TAG="${{ github.ref_name }}"
           # Extract version from binary metadata
@@ -117,7 +123,6 @@ jobs:
       - name: Create release and upload firmware
         env:
           GITEA_TOKEN: ${{ github.token }}
-        working-directory: workspace
         run: |
           TAG="${{ github.ref_name }}"
           REPO="${{ github.repository }}"
@@ -150,7 +155,6 @@ jobs:
             "$API_URL/repos/$REPO/releases/$RELEASE_ID/assets?name=csi_recv_router.bin"
 
       - name: Deploy via OTA
-        working-directory: workspace
         run: |
           SENSORS="muddy-storm:192.168.129.29 amber-maple:192.168.129.30 hollow-acorn:192.168.129.31"
           OTA_PORT=8899
@@ -290,27 +294,3 @@ jobs:
 
       - name: Run gitleaks
         run: gitleaks detect --source . --verbose --redact
-
-  shellcheck:
-    name: Shell Script Analysis
-    runs-on: anvil
-    container:
-      image: docker.io/koalaman/shellcheck-alpine:stable
-    steps:
-      - name: Install git
-        run: apk add --no-cache git
-
-      - name: Checkout
-        run: |
-          git clone --depth=1 --branch=${{ github.ref_name }} \
-            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .
-
-      - name: Find and check shell scripts
-        run: |
-          SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true)
-          if [ -n "$SCRIPTS" ]; then
-            echo "Checking: $SCRIPTS"
-            echo "$SCRIPTS" | xargs shellcheck --severity=warning
-          else
-            echo "No shell scripts found, skipping"
-          fi