diff --git a/.github/workflows/build-android-emulator.yml b/.github/workflows/build-android-emulator.yml
new file mode 100644
index 00000000..3e9ffd5d
--- /dev/null
+++ b/.github/workflows/build-android-emulator.yml
@@ -0,0 +1,36 @@
+name: Build android-emulator
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr (public).
+# Large image (Android SDK + emulator); on-demand workload (scaled 0). Rebuilds
+# rare → dispatch + path trigger.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/android-emulator/docker/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/android-emulator/docker
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/android-emulator:latest
+            ghcr.io/viktorbarzin/android-emulator:${{ github.sha }}
diff --git a/.github/workflows/build-chrome-service-novnc.yml b/.github/workflows/build-chrome-service-novnc.yml
new file mode 100644
index 00000000..78daa6e5
--- /dev/null
+++ b/.github/workflows/build-chrome-service-novnc.yml
@@ -0,0 +1,36 @@
+name: Build chrome-service-novnc
+
+# ADR-0002: infra-owned image built off-infra on GHA → ghcr (public).
+# Source Dockerfile identical on both git remotes, so the github checkout builds
+# the current image. Rebuilds are rare (stable noVNC proxy) → dispatch + path.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'stacks/chrome-service/files/novnc/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: stacks/chrome-service/files/novnc
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            ghcr.io/viktorbarzin/chrome-service-novnc:latest
+            ghcr.io/viktorbarzin/chrome-service-novnc:${{ github.sha }}
diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
new file mode 100644
index 00000000..f27856dc
--- /dev/null
+++ b/.github/workflows/build-cli.yml
@@ -0,0 +1,41 @@
+name: Build infra CLI
+
+# ADR-0002: infra CLI built off-infra on GHA. Replaces the Woodpecker
+# build-cli.yml. Pushes to DockerHub (public distribution, kept) + ghcr.
+# Not a cluster workload — a distributed tool image.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'cli/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: docker/build-push-action@v6
+        with:
+          context: cli
+          platforms: linux/amd64
+          provenance: false
+          push: true
+          tags: |
+            viktorbarzin/infra:latest
+            ghcr.io/viktorbarzin/infra-cli:latest
+            ghcr.io/viktorbarzin/infra-cli:${{ github.sha }}
diff --git a/.woodpecker/build-cli.yml b/.woodpecker/build-cli.yml
deleted file mode 100644
index cf95da7e..00000000
--- a/.woodpecker/build-cli.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-when:
-  event: push
-
-clone:
-  git:
-    image: woodpeckerci/plugin-git
-    settings:
-      attempts: 5
-      backoff: 10s
-
-steps:
-  - name: build-image
-    image: woodpeckerci/plugin-docker-buildx
-    settings:
-      username: "viktorbarzin"
-      password:
-        from_secret: dockerhub-pat
-      # Phase 4 of forgejo-registry-consolidation 2026-05-07 —
-      # registry.viktorbarzin.me:5050 decommissioned. Push to DockerHub
-      # (the public-facing infra image) AND Forgejo (the cluster pull
-      # source). Same image, two locations.
-      repo:
-        - viktorbarzin/infra
-        - forgejo.viktorbarzin.me/viktor/infra
-      logins:
-        - registry: https://index.docker.io/v1/
-          username: viktorbarzin
-          password:
-            from_secret: dockerhub-pat
-        - registry: forgejo.viktorbarzin.me
-          username:
-            from_secret: forgejo_user
-          password:
-            from_secret: forgejo_push_token
-      dockerfile: cli/Dockerfile
-      context: cli
-      auto_tag: true
-      # cache_from/cache_to removed: registry cache corruption causes
-      # "short read: expected 32 bytes" BuildKit errors. Inline cache
-      # will be re-populated once a clean image is pushed.
-      # cache_from: "registry.viktorbarzin.me:5050/infra:latest"
-      # cache_to: "type=inline"