diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 87c1a60..736f06a 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -62,7 +62,8 @@ jobs:
         working-directory: update
 
       - name: Upload binaries
-        uses: actions/upload-artifact@v4
+        # @v4 not yet fully supported by Gitea Actions runner; @v3 works.
+        uses: actions/upload-artifact@v3
         with:
           name: binaries-${{ matrix.suffix }}
           path: |
@@ -78,14 +79,39 @@ jobs:
       - name: Install shellcheck
         run: sudo apt-get update && sudo apt-get install -y shellcheck
 
+      # --severity=error filters out style/info/warning findings. Several of
+      # those are unavoidable in init-style scripts that source other files
+      # dynamically (SC1090/SC1091/SC2034). Exclude them explicitly so they
+      # don't fire even at warning level if we lift severity later.
+      # Codes excluded:
+      #   SC1090 — non-constant source path (we source by stage name)
+      #   SC1091 — source target not specified as input (we reference relative paths)
+      #   SC2034 — var "unused" (false positive: used via sourced scripts)
+      #   SC2002 — useless cat (style only, very common pattern in our scripts)
+      #   SC2015 — A && B || C (deliberate idiom)
+      #   SC2012 — use find not ls (style only)
+      #   SC2013 — read words not lines (style only, applies to /proc parsing)
+
       - name: Lint init scripts (POSIX sh)
-        run: shellcheck -s sh init/init.sh init/lib/*.sh init/emergency-shell.sh
+        run: |
+          shellcheck -s sh --severity=error \
+            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
+            init/init.sh init/lib/*.sh init/emergency-shell.sh
 
       - name: Lint build scripts (bash)
-        run: shellcheck -s bash build/scripts/*.sh build/config/kernel-audit.sh
+        run: |
+          shellcheck -s bash --severity=error \
+            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
+            build/scripts/*.sh build/config/kernel-audit.sh
 
       - name: Lint test scripts (bash)
-        run: shellcheck -s bash test/qemu/*.sh test/integration/*.sh test/kernel/*.sh || true
+        run: |
+          shellcheck -s bash --severity=error \
+            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
+            test/qemu/*.sh test/integration/*.sh test/kernel/*.sh
 
       - name: Lint hack scripts (bash)
-        run: shellcheck -s bash hack/*.sh || true
+        run: |
+          shellcheck -s bash --severity=error \
+            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
+            hack/*.sh