diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 20866f4..9c0d0ed 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -2,48 +2,124 @@ name: Build & Deploy ResearchOwl
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
+
+env:
+  REGISTRY: gitea.gitea.svc.cluster.local:3000
+  K8S_MANIFESTS_REPO: http://chemavx:${{ secrets.CI_TOKEN }}@gitea.gitea.svc.cluster.local:3000/chemavx/k8s-manifests.git
+  GIT_SSL_NO_VERIFY: "true"
+  TELEGRAM_CHAT_ID: "5138407666"
 
 jobs:
-  build:
+  build-and-push:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ssl-verify: false
 
-      - name: Validate manifests
+      - name: Set image tag
+        id: tag
+        run: echo "TAG=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+
+      - name: Log in to registry
+        run: echo "${{ secrets.CI_TOKEN }}" | docker login gitea.gitea.svc.cluster.local:3000 -u chemavx --password-stdin
+
+      - name: Create buildx builder
         run: |
-          for f in k8s/*.yaml; do
-            python3 -c "import yaml; list(yaml.safe_load_all(open('$f')))" && echo "✅ $f OK"
-          done
+          cat > /tmp/buildkitd.toml << 'EOF'
+          [registry."registry-cache.registry-cache.svc.cluster.local:5000"]
+            http = true
+            insecure = true
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+          [registry."gitea.gitea.svc.cluster.local:3000"]
+            http = true
+            insecure = true
 
-      - name: Login to Gitea Registry
-        uses: docker/login-action@v3
-        with:
-          registry: git.chemavx.xyz
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          [registry."docker.io"]
+            mirrors = ["registry-cache.registry-cache.svc.cluster.local:5000"]
+          EOF
+          docker buildx create \
+            --name ci-builder \
+            --driver docker-container \
+            --driver-opt network=host \
+            --config /tmp/buildkitd.toml \
+            --use
+          docker buildx inspect --bootstrap
 
-      - name: Build and push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          tags: git.chemavx.xyz/chemavx/researchowl:latest
-          cache-from: type=registry,ref=git.chemavx.xyz/chemavx/researchowl:cache
-          cache-to: type=registry,ref=git.chemavx.xyz/chemavx/researchowl:cache,mode=max
+      - name: Build and push image
+        run: |
+          TAG=${{ steps.tag.outputs.TAG }}
+          docker buildx build \
+            --builder ci-builder \
+            --cache-from type=registry,ref=gitea.gitea.svc.cluster.local:3000/chemavx/researchowl:buildcache \
+            --cache-to type=registry,ref=gitea.gitea.svc.cluster.local:3000/chemavx/researchowl:buildcache,mode=max \
+            -t gitea.gitea.svc.cluster.local:3000/chemavx/researchowl:${TAG} \
+            --push \
+            -f Dockerfile .
+
+      - name: Verify image in registry
+        run: |
+          TAG=${{ steps.tag.outputs.TAG }}
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+            -u "chemavx:${{ secrets.CI_TOKEN }}" \
+            -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
+            "http://gitea.gitea.svc.cluster.local:3000/v2/chemavx/researchowl/manifests/${TAG}")
+          if [ "$HTTP_CODE" != "200" ]; then
+            echo "ERROR: chemavx/researchowl:${TAG} not found in registry (HTTP $HTTP_CODE)"
+            exit 1
+          fi
+          echo "OK: chemavx/researchowl:${TAG} verified in registry"
+
+      - name: Update k8s manifests
+        run: |
+          pip3 install pyyaml -q
+
+          TAG=${{ steps.tag.outputs.TAG }}
+
+          git config --global user.email "ci@git.chemavx.xyz"
+          git config --global user.name "Gitea CI"
+
+          git clone ${{ env.K8S_MANIFESTS_REPO }} /tmp/k8s-manifests
+          cd /tmp/k8s-manifests
+
+          sed -i "s|image: .*researchowl:.*|image: git.chemavx.xyz/chemavx/researchowl:${TAG}|g" \
+            researchowl/deployment.yaml
+          sed -i "s|imagePullPolicy: Never|imagePullPolicy: Always|g" \
+            researchowl/deployment.yaml
+
+          python3 -c "
+          import yaml, sys
+          f = 'researchowl/deployment.yaml'
+          try:
+              list(yaml.safe_load_all(open(f)))
+              print('OK: ' + f)
+          except yaml.YAMLError as e:
+              print('FAIL: ' + f + ': ' + str(e), file=sys.stderr)
+              sys.exit(1)
+          "
+
+          git add researchowl/deployment.yaml
+          git diff --cached --quiet || git commit -m "ci: update researchowl image to ${TAG} [skip ci]"
+          git push
 
       - name: Notify Telegram
         if: always()
         env:
-          TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
-          CHAT: ${{ secrets.TELEGRAM_CHAT_ID }}
+          TAG: ${{ steps.tag.outputs.TAG }}
+          JOB_STATUS: ${{ job.status }}
+          TELEGRAM_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
         run: |
-          STATUS="${{ job.status }}"
-          EMOJI="✅"
-          if [ "$STATUS" != "success" ]; then EMOJI="❌"; fi
-          MSG="${EMOJI} ResearchOwl build ${STATUS} — $(git log -1 --pretty='%s')"
-          curl -s -X POST "https://api.telegram.org/bot${TOKEN}/sendMessage" \
-            -d chat_id="${CHAT}" -d text="${MSG}"
+          TAG="${TAG:-${GITHUB_SHA:0:8}}"
+          if [ "$JOB_STATUS" = "success" ]; then
+            MSG="✅ Deploy researchowl:${TAG} completado"
+          else
+            MSG="❌ Deploy researchowl:${TAG} fallido (status: ${JOB_STATUS})"
+          fi
+          if [ -n "${TELEGRAM_TOKEN}" ]; then
+            curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_TOKEN}/sendMessage" \
+              -d "chat_id=${{ env.TELEGRAM_CHAT_ID }}" \
+              --data-urlencode "text=${MSG}"
+          fi