diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index cac62721..ec05aac3 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -208,6 +208,8 @@ jobs:
                 ;;
               docs/operations/awoooi-priority-work-order-readback.snapshot.json)
                 ;;
+              docs/operations/awoooi-gitea-private-inventory-p0-scorecard.snapshot.json)
+                ;;
               docs/operations/p0-cicd-baseline-source-readiness.snapshot.json)
                 ;;
               docs/operations/awoooi-production-deploy-readback-blocker.snapshot.json)
@@ -316,6 +318,10 @@ jobs:
                 ;;
               scripts/ci/wait-host-web-build-pressure.sh)
                 ;;
+              scripts/security/gitea-private-inventory-p0-scorecard.py)
+                ;;
+              scripts/security/tests/test_gitea_private_inventory_p0_scorecard.py)
+                ;;
               scripts/reboot-recovery/dr-escrow-evidence-checklist.py)
                 ;;
               scripts/reboot-recovery/tests/test_dr_escrow_evidence_checklist.py)
@@ -428,7 +434,8 @@ jobs:
               src/services/platform_operator_service.py \
               src/services/telegram_gateway.py
             python3.11 -m py_compile \
-              ../../scripts/reboot-recovery/dr-escrow-evidence-checklist.py
+              ../../scripts/reboot-recovery/dr-escrow-evidence-checklist.py \
+              ../../scripts/security/gitea-private-inventory-p0-scorecard.py
             DATABASE_URL="${DATABASE_URL:-postgresql+asyncpg://ci:ci@localhost/ci}" \
             PYTHONFAULTHANDLER=1 python3.11 -m pytest \
               tests/test_agent_replay_normalizer.py \
@@ -447,6 +454,7 @@ jobs:
               ../../ops/runner/test_cd_controlled_runtime_profile.py \
               ../../ops/runner/test_verify_awoooi_non110_cd_closure.py \
               ../../scripts/reboot-recovery/tests/test_dr_escrow_evidence_checklist.py \
+              ../../scripts/security/tests/test_gitea_private_inventory_p0_scorecard.py \
               -v --tb=short -x -p no:cacheprovider \
               2>&1 | tee /tmp/pytest-output.txt; PYTEST_EXIT=${PIPESTATUS[0]}
           else
diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py
index acf73f7c..7adca811 100644
--- a/ops/runner/test_cd_controlled_runtime_profile.py
+++ b/ops/runner/test_cd_controlled_runtime_profile.py
@@ -83,6 +83,19 @@ def test_dr_escrow_checklist_stays_on_controlled_runtime_profile() -> None:
         assert source in text
 
 
+def test_gitea_private_inventory_scorecard_stays_on_controlled_runtime_profile() -> None:
+    text = _workflow_text()
+    expected_sources = [
+        "docs/operations/awoooi-gitea-private-inventory-p0-scorecard.snapshot.json)",
+        "scripts/security/gitea-private-inventory-p0-scorecard.py)",
+        "scripts/security/tests/test_gitea_private_inventory_p0_scorecard.py)",
+        "../../scripts/security/gitea-private-inventory-p0-scorecard.py",
+        "../../scripts/security/tests/test_gitea_private_inventory_p0_scorecard.py",
+    ]
+    for source in expected_sources:
+        assert source in text
+
+
 def test_controlled_runtime_skips_b5_before_docker_socket_use() -> None:
     text = _workflow_text()
     b5_start = text.index("- name: Integration Tests (B5")