diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index df08fe0..bb5a36b 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -6,29 +6,86 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  PYTHON_VERSION: "3.11"
+  PIP_DISABLE_PIP_VERSION_CHECK: "1"
+  PIP_NO_CACHE_DIR: "1"
+
 jobs:
-  test:
+  lint:
+    name: Lint & Format
     runs-on: ubuntu-latest
     container:
-      image: debian:bookworm-slim
+      image: python:3.11-slim
 
     steps:
-      - name: Checkout
+      - name: Setup and checkout
         run: |
-          apt-get update && apt-get install -y --no-install-recommends git ca-certificates
+          apt-get update -qq && apt-get install -yqq --no-install-recommends git >/dev/null
+          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+
+      - name: Install tools
+        run: pip install -q ruff mypy
+
+      - name: Syntax check
+        run: python -m py_compile run.py wsgi.py app/*.py app/**/*.py
+
+      - name: Ruff lint
+        run: ruff check app/ tests/ fpaste
+
+      - name: Ruff format
+        run: ruff format --check app/ tests/ fpaste
+
+      - name: Type check
+        run: mypy app/ --ignore-missing-imports --no-error-summary
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    container:
+      image: python:3.11-slim
+
+    steps:
+      - name: Setup and checkout
+        run: |
+          apt-get update -qq && apt-get install -yqq --no-install-recommends git >/dev/null
           git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
             "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
 
       - name: Install dependencies
         run: |
-          apt-get install -y --no-install-recommends python3 python3-pip python3-venv
-          python3 -m venv venv
-          ./venv/bin/pip install --quiet --upgrade pip
-          ./venv/bin/pip install --quiet -r requirements.txt
-          ./venv/bin/pip install --quiet pytest pytest-cov
+          pip install -q -r requirements.txt
+          pip install -q bandit pip-audit
+
+      - name: Bandit scan
+        run: bandit -r app/ -ll -q
+
+      - name: Dependency audit
+        run: pip-audit --strict --progress-spinner=off
+
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+    needs: [lint]
+    container:
+      image: python:3.11-slim
+
+    steps:
+      - name: Setup and checkout
+        run: |
+          apt-get update -qq && apt-get install -yqq --no-install-recommends git >/dev/null
+          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
+            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
+
+      - name: Install dependencies
+        run: |
+          pip install -q -r requirements.txt
+          pip install -q pytest
 
       - name: Run tests
-        run: ./venv/bin/pytest tests/ -v --tb=short
-
-      - name: Check syntax
-        run: ./venv/bin/python -m py_compile run.py wsgi.py app/*.py app/**/*.py
+        run: pytest tests/ -v --tb=short