diff --git a/.ansible-lint b/.ansible-lint
index 9008dfa9..a96bb516 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -27,3 +27,4 @@ exclude_paths:
   - roles/ansible_role_gitea
   - roles/ansible-role-postgresql
   - .woodpecker/
+  - .gitea/
diff --git a/.gitea/workflows/ansible-lint.yaml b/.gitea/workflows/ansible-lint.yaml
new file mode 100644
index 00000000..dc303896
--- /dev/null
+++ b/.gitea/workflows/ansible-lint.yaml
@@ -0,0 +1,21 @@
+name: ansible-lint
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+
+jobs:
+  ansible-lint:
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: write vault-pass
+        run: echo ${{ secrets.VAULTPASS }} > ./vault-pass
+
+      - name: run ansible-lint
+        uses: docker://registry.mgrote.net/ansible-devspace:latest
+        with:
+          args: ansible-lint --force-color --format pep8 --show-relpath
+
+# VAULTPASS ist als Secrets auf Repo-Ebene angelegt
diff --git a/.gitea/workflows/demo.yaml b/.gitea/workflows/demo.yaml
new file mode 100644
index 00000000..f9b5b85c
--- /dev/null
+++ b/.gitea/workflows/demo.yaml
@@ -0,0 +1,21 @@
+name: Gitea Actions Demo
+run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
+on:
+  schedule:
+    - cron: '* * * * *' # test
+
+jobs:
+  Explore-Gitea-Actions:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event."
+      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!"
+      - run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}."
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner."
+      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
+      - name: List files in the repository
+        run: |
+          ls ${{ gitea.workspace }}
+      - run: echo "🍏 This job's status is ${{ job.status }}."
diff --git a/.gitea/workflows/gitleaks.yaml b/.gitea/workflows/gitleaks.yaml
new file mode 100644
index 00000000..7009367a
--- /dev/null
+++ b/.gitea/workflows/gitleaks.yaml
@@ -0,0 +1,16 @@
+name: gitleaks
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+
+jobs:
+  gitleaks:
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Gitleaks
+        uses: docker://zricethezav/gitleaks:v8.18.4
+        with:
+          args: detect --no-git --verbose --source ${{ github.workspace }}
diff --git a/.woodpecker/ansible-lint.yml b/.woodpecker/ansible-lint.yml
deleted file mode 100644
index ea875b35..00000000
--- a/.woodpecker/ansible-lint.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-depends_on:
-  - gitleaks
-
-steps:
-  ansible-lint:
-    image: registry.mgrote.net/ansible-devspace:latest
-    commands:
-      # Secrets
-      - echo $${SSHKEY} | base64 -d > ./id_ed25519 # woodpecker verschluckt linebreaks, daher mit base64 -w0 "kodiert"
-      - echo $${VAULTPASS} | base64 -d > ./vault-pass # Name des Secrets in Großschreibung
-      - chmod 0400 ./id_ed25519
-      # Doing
-      - ansible-lint --force-color --format pep8 --show-relpath 
-    # https://woodpecker-ci.org/docs/usage/secrets#use-secrets-in-commands
-    secrets: [vaultpass]
-    when:
-      - event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
-        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
-...
diff --git a/.woodpecker/gitleaks.yml b/.woodpecker/gitleaks.yml
deleted file mode 100644
index afb2b029..00000000
--- a/.woodpecker/gitleaks.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-steps:
-  gitleaks:
-    image: zricethezav/gitleaks:v8.18.4
-    commands:
-      - gitleaks detect --no-git --verbose --source $CI_WORKSPACE
-    when:
-      - event: [push, pull_request, cron, pull_request_closed, tag, release, manual]
-        evaluate: 'CI_COMMIT_AUTHOR_EMAIL != "renovate@mgrote.net"'
-...
diff --git a/README.md b/README.md
index 345b549a..c50fe92d 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,13 @@
 # ansible_heimserver
 
-[![status-badge](https://ci.mgrote.net/api/badges/2/status.svg)](https://ci.mgrote.net/repos/2)
-
 ## ansible-devspace
 
 - Repository: https://git.mgrote.net/container-images/ansible-devspace
-  - dort mit Woodpecker-CI gebaut und in eigene Registry gepushed
+  - dort mit CI gebaut und in eigene Registry gepushed
 - ``devspace.sh`` pulled Image, prüft ob SSH-Key und ``vault-pass`` vorhanden sind
   - mountet git-Secrets
 - startet Container
+
+
+https://git.mgrote.net/mg/homeserver/actions/workflows/{workflow_file}/badge.svg?branch={branch}&event={event}
+https://git.mgrote.net/mg/homeserver/actions/workflows/ansible-lint.yaml/badge.svg
diff --git a/docker-compose/act-runner/docker-compose.yml.j2 b/docker-compose/act-runner/docker-compose.yml.j2
new file mode 100644
index 00000000..675c9318
--- /dev/null
+++ b/docker-compose/act-runner/docker-compose.yml.j2
@@ -0,0 +1,18 @@
+---
+# https://gitea.com/gitea/act_runner/src/branch/main/examples/docker-compose
+version: "3.7"
+services:
+  runner:
+    container_name: act-runner
+    image: gitea/act_runner
+    restart: always
+    volumes:
+      - act_runner_data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      GITEA_INSTANCE_URL: https://git.mgrote.net
+      GITEA_RUNNER_REGISTRATION_TOKEN: "{{ lookup('viczem.keepass.keepass', 'gitea_act_runner_token', 'password') }}" # only used on first start, https://git.mgrote.net/admin/actions/runners
+      GITEA_RUNNER_NAME: "docker10-act-runner"
+
+volumes:
+  act_runner_data:
diff --git a/group_vars/git.yml b/group_vars/git.yml
index 87090b04..9093f25c 100644
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@@ -55,7 +55,7 @@ ufw_rules:
 ### ansible_role_gitea
 gitea_fork: "forgejo"
 # gitea update
-gitea_version: "1.21.7-0" # alt zum renovate testen
+gitea_version: "1.21.11-2" # TODO renovate, wird das erkannt?
 gitea_version_check: true
 gitea_backup_on_upgrade: false
 # gitea in the linux world
@@ -127,7 +127,7 @@ gitea_federation_enabled: false
 # Packages
 gitea_packages_enabled: false
 # actions
-gitea_actions_enabled: false
+gitea_actions_enabled: true
 gitea_extra_config: |
   ; webhook: wird für drone benötigt, sonst wird der Webhook nicht "gesendet"
   [webhook]
diff --git a/host_vars/docker10.mgrote.net.yml b/host_vars/docker10.mgrote.net.yml
index a614829e..97d8de94 100644
--- a/host_vars/docker10.mgrote.net.yml
+++ b/host_vars/docker10.mgrote.net.yml
@@ -67,6 +67,8 @@ compose_files:
     network: traefik
   - name: gramps
     state: present
+  - name: act-runner
+    state: present
 
 ### oefenweb.ufw
 ufw_rules:
diff --git a/keepass_db.kdbx b/keepass_db.kdbx
index ce6855d3..0c13e0fd 100644
Binary files a/keepass_db.kdbx and b/keepass_db.kdbx differ