diff --git a/.gitea/workflows/docker-build.yaml b/.gitea/workflows/docker-build.yaml
index 0decb70..e39941e 100644
--- a/.gitea/workflows/docker-build.yaml
+++ b/.gitea/workflows/docker-build.yaml
@@ -1,47 +1,45 @@
 name: Docker Build and Push
 
 on:
-  pull_request:
-    branches: [main]
   push:
     branches: [main]
+  pull_request:
   schedule:
-    - cron: '0 0 * * *'
+    - cron: '30 3 * * 3'
 
 jobs:
-  build:
+  lint:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+      - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf
+        with:
+          dockerfile: Dockerfile
+          failure-threshold: error
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+  build-and-test:
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+      - name: Build image
+        run: docker build -t ci-image:${{ github.sha }} .
+      - name: Run tests
+        run: bash tests/test.sh ci-image:${{ github.sha }}
 
-      - name: Login to Docker Hub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+  push:
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    if: github.event_name != 'pull_request'
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+      - name: Build image
+        run: docker build -t ci-image:${{ github.sha }} .
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
-        with:
-          images: jcabillot/openchamber
-          tags: |
-            #type=ref,event=branch
-            #type=ref,event=pr
-            #type=sha
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-
-      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
-        with:
-          context: .
-          file: Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          pull: true
+      - name: Tag and push
+        run: |
+          docker tag ci-image:${{ github.sha }} jcabillot/opencode-openchamber:latest
+          docker push jcabillot/opencode-openchamber:latest
diff --git a/renovate.json b/renovate.json
index b12a327..c1f7af7 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,19 +1,21 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "customManagers": [
+  "regexManagers": [
     {
-      "customType": "regex",
       "description": "Track openchamber base Docker image FROM jcabillot/opencode",
-      "managerFilePatterns": ["/^Dockerfile$/"],
-      "matchStrings": ["FROM jcabillot/opencode:(?<currentValue>[^\\s]+)"],
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "FROM jcabillot/opencode:(?<currentValue>[^\\s]+)"
+      ],
       "depNameTemplate": "jcabillot/opencode",
       "datasourceTemplate": "docker"
     },
     {
-      "customType": "regex",
       "description": "Track @openchamber/web npm version from ARG in Dockerfile",
-      "managerFilePatterns": ["/^Dockerfile$/"],
-      "matchStrings": ["ARG OPENCHAMBER_WEB_VERSION=(?<currentValue>[^\\s]+)"],
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "ARG OPENCHAMBER_WEB_VERSION=(?<currentValue>[^\\s]+)"
+      ],
       "depNameTemplate": "@openchamber/web",
       "datasourceTemplate": "npm",
       "versioningTemplate": "npm"
diff --git a/tests/test.sh b/tests/test.sh
new file mode 100644
index 0000000..69f29b1
--- /dev/null
+++ b/tests/test.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+
+IMAGE="$1"
+FAILED=0
+PASSED=0
+
+TMPDIR="$(mktemp -d)"
+CONTAINER_NAME="test-$(echo "$IMAGE" | tr ':/' '-')-$$"
+trap 'docker rm -f "$CONTAINER_NAME" 2>/dev/null; rm -rf "$TMPDIR"' EXIT
+
+DOCKER_GW=$(docker network inspect bridge --format '{{range .IPAM.Config}}{{.Gateway}}{{end}}')
+BASE_URL="http://${DOCKER_GW}:3000"
+
+assert_eq() {
+  local desc="$1" expected="$2" actual="$3"
+  if [ "$expected" = "$actual" ]; then
+    echo "PASS: $desc"
+    PASSED=$((PASSED + 1))
+  else
+    echo "FAIL: $desc (expected '$expected', got '$actual')"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+docker run -d --name "$CONTAINER_NAME" -p 3000:3000 "$IMAGE"
+
+echo "Waiting for container..."
+READY=false
+for i in $(seq 1 30); do
+  if curl -s -o /dev/null "$BASE_URL/"; then
+    echo "Container ready (attempt $i)"
+    READY=true
+    break
+  fi
+  sleep 2
+done
+
+if [ "$READY" = false ]; then
+  echo "Container did not become ready within 60s"
+  echo "=== Container logs ==="
+  docker logs "$CONTAINER_NAME" 2>&1 || true
+  exit 1
+fi
+
+STATUS=$(curl -s -o "$TMPDIR/body" -w '%{http_code}' "$BASE_URL/")
+echo "HTTP status: $STATUS"
+assert_eq "HTTP 200" "200" "$STATUS"
+
+echo ""
+echo "$PASSED/$((PASSED + FAILED)) tests passed"
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi