diff --git a/.gitea/workflows/build.yaml b/.forgejo/workflows/build.yaml
similarity index 79%
rename from .gitea/workflows/build.yaml
rename to .forgejo/workflows/build.yaml
index 39070ea..5c61f86 100644
--- a/.gitea/workflows/build.yaml
+++ b/.forgejo/workflows/build.yaml
@@ -1,15 +1,13 @@
-name: test
-
 on: push
 
 jobs:
   build:
-    name: test
     runs-on: debian
     steps:
       - uses: actions/checkout@v1
-      - uses: actions/kaniko@v1
+      - uses: actions/buildkit@v1
         with:
           dockerfile: debian/Dockerfile
           image: actions/debian:latest
           password: "${{ secrets.PKGRW }}"
+          cache: false
diff --git a/debian/Dockerfile b/debian/Dockerfile
index 0b169e1..0120f18 100644
--- a/debian/Dockerfile
+++ b/debian/Dockerfile
@@ -1,19 +1,16 @@
-FROM debian:12-slim as kubectl
-RUN apt-get update && apt-get install -y --no-install-recommends \
-        ca-certificates \
-        curl \
-        git \
-    && rm -rf /var/lib/apt/lists/*
-ENV K8S_VERSION=v1.27
-RUN V="$(git ls-remote --tags --refs --sort=version:refname https://github.com/kubernetes/kubernetes "$K8S_VERSION.*" | awk -F/ 'END{print $NF}')" \
-    && curl -Lo /kubectl "https://dl.k8s.io/release/$V/bin/linux/amd64/kubectl"
-
-FROM debian:12-slim
+FROM docker.io/debian:trixie-20250929-slim
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && apt-get install -y --no-install-recommends \
         ca-certificates \
+        curl \
         gettext-base \
         git \
-        jq \
+        openssh-client \
+        yq \
     && rm -rf /var/lib/apt/lists/*
-COPY --from=kubectl --chmod=0755 /kubectl /usr/local/bin/
+# https://dl.k8s.io/release/stable.txt
+RUN curl -sLo /usr/local/bin/kubectl \
+        "https://dl.k8s.io/release/v1.34.1/bin/linux/amd64/kubectl" \
+    && chmod 0755 /usr/local/bin/kubectl
+RUN useradd -m app
+USER app