diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
new file mode 100644
index 0000000..0b9d686
--- /dev/null
+++ b/.forgejo/workflows/build.yaml
@@ -0,0 +1,48 @@
+name: "Build"
+on:
+  pull_request:
+jobs:
+  nix-build:
+    if: github.event.pull_request.draft == false
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - system: fj-hetzner-aarch64-01
+            os: native-aarch64
+          - system: fj-shadowfax-01
+            os: native-x86_64
+    runs-on: ${{ matrix.os }}
+    env:
+      PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
+    steps:
+      - name: Checkout repository
+        uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: https://github.com/cachix/cachix-action@v15
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        with:
+          name: hsndev
+          # If you chose API tokens for write access OR if you have a private cache
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
+      - name: Garbage collect build dependencies
+        run: nix-collect-garbage
+
+      - name: Build new ${{ matrix.system }} system
+        shell: bash
+        run: |
+          set -o pipefail
+          nix build \
+            ".#top.${{ matrix.system }}" \
+            --profile ./profile \
+            --fallback \
+            -v \
+            --log-format raw \
+             > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
+      - name: Push to Cachix
+        if: success()
+        env:
+          CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+        run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
\ No newline at end of file