diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index fab988d..b66ce29 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -82,10 +82,10 @@ jobs:
 
       - name: Trust Nexus mirror CA (diagnostic)
         # Verbose / fail-fast version to expose exactly where the chain trust breaks.
-        # shell: bash required — Gitea act runner defaults to sh, which lacks pipefail.
-        shell: bash
+        # Gitea act runner v0.6.1 ignores shell: overrides and always uses sh.
+        # Use set -eu (POSIX) — pipefail is bash-only and crashes sh on line 1.
         run: |
-          set -euo pipefail
+          set -eu
           echo "=== OS / OpenSSL info ==="
           cat /etc/os-release | head -4 || true
           openssl version || true
@@ -171,8 +171,9 @@ jobs:
 
       - name: Trust Nexus mirror CA (diagnostic)
         # Same verbose/fail-fast step as api-build — see that job for full comments.
+        # Gitea act runner v0.6.1 ignores shell: overrides; use POSIX set -eu.
         run: |
-          set -euo pipefail
+          set -eu
           curl -v --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der 2>&1
           echo "File size: $(wc -c < /tmp/isrg-root-yr.der) bytes"
           openssl x509 -inform DER -in /tmp/isrg-root-yr.der \