diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 461b392..73f40bf 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -40,6 +40,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [php-lint, js-lint]
     if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/development')
+    permissions:
+      contents: write
     steps:
       - name: Trigger webhook
         env:
@@ -60,3 +62,32 @@ jobs:
             -d "$PAYLOAD" \
             "http://10.10.10.45:9000/hooks/${HOOK_ID}"
 
+      - name: Tag deployed commit
+        if: github.ref == 'refs/heads/main'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="deploy-$(date -u +%Y.%m.%d)-${{ github.run_number }}"
+          curl -sf -X POST \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\":\"${TAG}\",\"target\":\"${{ github.sha }}\",\"message\":\"Deployed to production\"}" \
+            "https://code.lotusguild.org/api/v1/repos/${{ github.repository }}/tags"
+
+  notify-failure:
+    name: Notify on failure
+    runs-on: ubuntu-latest
+    needs: [php-lint, js-lint]
+    if: failure() && github.event_name == 'push'
+    steps:
+      - name: Send Matrix alert
+        env:
+          MATRIX_WEBHOOK_URL: ${{ secrets.MATRIX_WEBHOOK_URL }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ github.ref_name }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          if [ -z "$MATRIX_WEBHOOK_URL" ] || [ "$MATRIX_WEBHOOK_URL" = "CONFIGURE_ME" ]; then exit 0; fi
+          curl -sf -X POST "$MATRIX_WEBHOOK_URL" \
+            -H "Content-Type: application/json" \
+            -d "{\"text\":\"CI FAILED: ${REPO} @ ${BRANCH} — ${RUN_URL}\"}"
diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml
new file mode 100644
index 0000000..8c8f096
--- /dev/null
+++ b/.gitea/workflows/security.yml
@@ -0,0 +1,25 @@
+name: Security
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: ["**"]
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  semgrep:
+    name: PHP Security (semgrep)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install semgrep
+        run: |
+          apt-get update -qq
+          apt-get install -y -qq python3 python3-pip
+          pip3 install semgrep
+
+      - name: Run semgrep
+        run: semgrep --config=p/php --config=p/owasp-top-ten --error .