diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml
index fdef545..73116af 100644
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@@ -44,9 +44,10 @@ jobs:
 
       - name: Push image
         run: |
+          set -o xtrace
+
           podman manifest rm localhost:${{ env.tag }} || true
-          podman manifest create localhost:${{ env.tag }}
-          podman manifest add localhost:${{ env.tag }} localhost/default:${{ env.tag }}
+          podman manifest create localhost:${{ env.tag }} localhost/default:${{ env.tag }}
 
           podman manifest inspect localhost/:${{ env.tag }} > /tmp/manifest.json
           curl -sS @/tmp/forgejo_token -X PUT --data-binary @/tmp/manifest.json ${{ forge.server_url }}/v2/${{ forge.owner }}/amrth/runners/manifests/${{ env.tag }}
diff --git a/.forgejo/workflows/lint.yml b/.forgejo/workflows/lint.yml
new file mode 100644
index 0000000..5674f78
--- /dev/null
+++ b/.forgejo/workflows/lint.yml
@@ -0,0 +1,119 @@
+name: Lint
+
+on:
+  workflow_call:
+    inputs:
+      mergedSha:
+        required: true
+        type: string
+      targetSha:
+        required: true
+        type: string
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        required: true
+
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  treefmt:
+    runs-on: default
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: .github/actions
+      - name: Checkout the merge commit
+        uses: ./.github/actions/checkout
+        with:
+          merged-as-untrusted-at: ${{ inputs.mergedSha }}
+
+      - uses: cachix/install-nix-action@56a7bb7b56d9a92d4fd1bc05758de7eea4a370a8 # v31
+
+      # TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
+      # because the cache would be invalidated on every commit - treefmt checks every file.
+      # Maybe we can cache treefmt's eval-cache somehow.
+
+      - name: Check that files are formatted
+        run: |
+          # Note that it's fine to run this on untrusted code because:
+          # - There's no secrets accessible here
+          # - The build is sandboxed
+          if ! nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A fmt.check; then
+            echo "Some files are not properly formatted"
+            echo "Please format them by going to the Nixpkgs root directory and running one of:"
+            echo "  nix-shell --run treefmt"
+            echo "  nix develop --command treefmt"
+            echo "  nix fmt"
+            echo "Make sure your branch is up to date with master; rebase if not."
+            echo "If you're having trouble, please ping @NixOS/nix-formatting"
+            exit 1
+          fi
+
+  parse:
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: .github/actions
+      - name: Checkout the merge commit
+        uses: ./.github/actions/checkout
+        with:
+          merged-as-untrusted-at: ${{ inputs.mergedSha }}
+
+      - uses: cachix/install-nix-action@56a7bb7b56d9a92d4fd1bc05758de7eea4a370a8 # v31
+
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          pushFilter: -source$
+
+      - name: Parse all nix files
+        run: |
+          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
+          nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A parse --keep-going
+
+  nixpkgs-vet:
+    runs-on: ubuntu-24.04-arm
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: .github/actions
+      - name: Checkout merge and target commits
+        uses: ./.github/actions/checkout
+        with:
+          merged-as-untrusted-at: ${{ inputs.mergedSha }}
+          target-as-trusted-at: ${{ inputs.targetSha }}
+
+      - uses: cachix/install-nix-action@56a7bb7b56d9a92d4fd1bc05758de7eea4a370a8 # v31
+
+      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
+        with:
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          pushFilter: -source$
+
+      - name: Running nixpkgs-vet
+        env:
+          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
+          CLICOLOR_FORCE: 1
+        run: |
+          if nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A nixpkgs-vet --arg base "./nixpkgs/trusted" --arg head "./nixpkgs/untrusted"; then
+            exit 0
+          else
+            exitCode=$?
+            echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
+            echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
+            exit "$exitCode"
+          fi
\ No newline at end of file