diff --git a/.forgejo/workflows/build_penpot.yml b/.forgejo/workflows/build_penpot.yml
new file mode 100644
index 0000000..fd219db
--- /dev/null
+++ b/.forgejo/workflows/build_penpot.yml
@@ -0,0 +1,62 @@
+name: Build Penpot
+
+on:
+  workflow_dispatch: {}
+  push: {}
+  schedule:
+    - cron: "@daily"
+
+jobs:
+  build-container:
+    name: Build Image penpot-${{ matrix.image-type }}:${{ matrix.penpot-version }}
+    runs-on: docker
+    container:
+      image: ghcr.io/osscontainertools/kaniko:alpine
+    strategy:
+      matrix:
+        penpot-version: [ "2.1.2" ]
+        image-type: [ frontend, backend, exporter ]
+    steps:
+      - name: Install required system packages
+        run: apk add --no-cache nodejs
+
+      - name: Setup penpot repo
+        uses: actions/checkout@v6
+        with:
+          github-server-url: github.com
+          repository: penpot/penpot
+          ref: ${{ matrix.image-penpot-version }}
+          submodules: recursive
+          path: penpot
+
+      - name: Patch penpot to work with kaniko
+        run: |
+          # Get build system patch allowing for building images with kaniko.
+          # https://github.com/penpot/penpot/pull/4945
+          # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
+          curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
+
+          # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
+          # https://github.com/penpot/penpot/issues/4975
+          # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
+          curl https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-
+
+          # apply patches
+          git config user.name "Woodpecker"
+          git config user.email "woodpecker@woodpecker.invalid"
+          git am *.patch
+
+      - name: Build Container
+        env:
+          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
+          KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
+          KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
+        run: /kaniko/executor
+          --dockerfile="${{forgejo.workspace }}/penpot/Containerfile"
+          --context="dir://${{ forgejo.workspace }}/penpot/docker/images/Dockerfile.${{ matrix.image-type }}"
+          --destination=git.hamburg.ccc.de/ccchh/oci-images/penpot-${{ matrix.image-type }}:${{ matrix.penpot-version }}
+          --no-push-cache
+          --credential-helpers=env
+          --annotation=org.opencontainers.image.ref.name=penpot-${{ matrix.image-type }}
+          --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
+          --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
diff --git a/.woodpecker/penpot.yaml b/.woodpecker/penpot.yaml
deleted file mode 100644
index 8cedcbe..0000000
--- a/.woodpecker/penpot.yaml
+++ /dev/null
@@ -1,98 +0,0 @@
-when:
-  - event: push
-    path: 
-      - 'penpot/**'
-      - '.woodpecker/penpot.yaml'
-  - event: cron
-    cron: daily
-
-# Manually set a workspace path, so we can use it literally, without using
-# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
-# https://github.com/woodpecker-ci/woodpecker/issues/3982
-workspace:
-  path: src
-
-# Use matrix to set PENPOT_VERSION instead of setting the PENPOT_VERSION as an
-# environment variable in the build-images step, since string substitution
-# doesn't work for custom environment variables.
-# https://github.com/woodpecker-ci/woodpecker/issues/3983
-# Also because global environment variables aren't a thing.
-matrix:
-  PENPOT_VERSION:
-    - 2.1.2
-  IMAGE_BASE_NAME:
-    - git.hamburg.ccc.de/ccchh/oci-images/penpot
-  IMAGE_TYPE:
-    - frontend
-    - backend
-    - exporter
-
-steps:
-  - name: setup-image-path
-    image: alpine
-    commands:
-      - mkdir /woodpecker/images
-
-  - name: setup-penpot-repo
-    image: alpine
-    commands:
-      - apk -u add git curl
-      - git clone --branch $PENPOT_VERSION https://github.com/penpot/penpot.git /woodpecker/penpot
-      - cd /woodpecker/penpot
-      - git submodule update --init --recursive
-      # Get build system patch allowing for building images with kaniko.
-      # https://github.com/penpot/penpot/pull/4945
-      # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
-      - curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
-      # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
-      # https://github.com/penpot/penpot/issues/4975
-      # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
-      - curl https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-is-disabled.patch
-      - git config user.name "Woodpecker"
-      - git config user.email "woodpecker@woodpecker.invalid"
-      - git am *.patch
-
-  - name: build-image
-    image: gcr.io/kaniko-project/executor
-    entrypoint:
-      - /kaniko/executor
-      - --context=dir:///woodpecker/penpot
-      - --dockerfile=./docker/images/Dockerfile.${IMAGE_TYPE}
-      - --destination=${IMAGE_BASE_NAME}/${IMAGE_TYPE}:${PENPOT_VERSION}
-      - --no-push
-      - --tar-path=/woodpecker/images/penpot-${IMAGE_TYPE}.tar
-
-  - name: publish-image
-    image: docker.io/library/alpine
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane push /woodpecker/images/penpot-$IMAGE_TYPE.tar $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH
-
-  - name: tag-version
-    image: docker.io/library/alpine
-    when:
-      - branch: main
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH $PENPOT_VERSION
-
-  - name: tag-latest
-    image: docker.io/library/alpine
-    when:
-      - branch: main
-        evaluate: 'PENPOT_VERSION == "2.1.2"'
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH latest