diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
new file mode 100644
index 0000000..e18a6a3
--- /dev/null
+++ b/.github/workflows/container-image.yml
@@ -0,0 +1,45 @@
+---
+name: Build and push container image
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: true
+      DOCKERHUB_TOKEN:
+        required: true
+
+jobs:
+  container-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/arm64,linux/amd64
+          tags: "${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}-gh-build-${{ github.run_id }}"
+          build-args: |
+            build_log_label=GH Build #${{ github.run_number }}
+            build_log_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
diff --git a/.github/workflows/dockerhub-latest.yml b/.github/workflows/dockerhub-latest.yml
new file mode 100644
index 0000000..51ec2e4
--- /dev/null
+++ b/.github/workflows/dockerhub-latest.yml
@@ -0,0 +1,42 @@
+---
+name: Tag latest container image
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: true
+      DOCKERHUB_TOKEN:
+        required: true
+
+jobs:
+  latest-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract Version (Patch)
+        run: echo "VERSION_PATCH=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
+
+      - name: Extract Version (Minor)
+        run: echo "VERSION_MINOR=${VERSION_PATCH%.*}" >> $GITHUB_ENV
+
+      - name: Extract Version (Major)
+        run: echo "VERSION_MAJOR=${VERSION_MINOR%.*}" >> $GITHUB_ENV
+
+      - name: Tag docker image
+        run: >-
+          docker buildx imagetools create ${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}-gh-build-${{ github.run_id }}
+          --tag ${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}-${{ env.VERSION_PATCH}}
+          --tag ${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}-${{ env.VERSION_MINOR}}
+          --tag ${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}-${{ env.VERSION_MAJOR}}
+          --tag ${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}
diff --git a/.github/workflows/dockerhub-rolling.yml b/.github/workflows/dockerhub-rolling.yml
new file mode 100644
index 0000000..17cd90b
--- /dev/null
+++ b/.github/workflows/dockerhub-rolling.yml
@@ -0,0 +1,28 @@
+---
+name: Tag rolling container image
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: true
+      DOCKERHUB_TOKEN:
+        required: true
+
+jobs:
+  rolling-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Tag docker image
+        run: docker buildx imagetools create ${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}-gh-build-${{ github.run_id }} --tag ${{ vars.IMAGE_NAME }}:${{ vars.IMAGE_VARIANT }}-rolling
diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml
new file mode 100644
index 0000000..fc4ce5b
--- /dev/null
+++ b/.github/workflows/github-release.yml
@@ -0,0 +1,34 @@
+---
+name: Create github release
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: true
+      DOCKERHUB_TOKEN:
+        required: true
+
+jobs:
+  release-notes:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+
+      - name: Create Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx semantic-release
diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
new file mode 100644
index 0000000..70d4562
--- /dev/null
+++ b/.github/workflows/integration-test.yml
@@ -0,0 +1,42 @@
+---
+name: Run integration test on container image
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_call:
+    secrets:
+      PRIVATE_SSH_KEY:
+        required: true
+      PRIVATE_DIGITALOCEAN_TOKEN:
+        required: true
+      PRIVATE_CERTBOT_ACCOUNT_KEY:
+        required: true
+
+env:
+  IMAGE_NAME: ${{ vars.IMAGE_NAME }}
+  IMAGE_VARIANT: ${{ vars.IMAGE_VARIANT }}
+  IMAGE_BUILD_ID: "${{ vars.IMAGE_VARIANT }}-gh-build-${{ github.run_id }}"
+  PRIVATE_SSH_KEY: "${{ secrets.PRIVATE_SSH_KEY }}"
+  PRIVATE_DIGITALOCEAN_TOKEN: "${{ secrets.PRIVATE_DIGITALOCEAN_TOKEN }}"
+  PRIVATE_CERTBOT_ACCOUNT_KEY: "${{ secrets.PRIVATE_CERTBOT_ACCOUNT_KEY }}"
+  DOCKER_COMPOSE_ARGS: >-
+    -f integration-test/docker-compose.yml
+    -f integration-test/docker-compose.github.yml
+    -f integration-test/docker-compose.test-${{ vars.IMAGE_VARIANT }}.github.yml
+
+jobs:
+  integration-test:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up integration test
+        run: docker-compose ${{ env.DOCKER_COMPOSE_ARGS }} build
+
+      - name: Run integration test
+        run: docker-compose ${{ env.DOCKER_COMPOSE_ARGS }} run sut
diff --git a/.github/workflows/on-pull-request.yml b/.github/workflows/on-pull-request.yml
new file mode 100644
index 0000000..68e91a1
--- /dev/null
+++ b/.github/workflows/on-pull-request.yml
@@ -0,0 +1,16 @@
+---
+name: Integration Tests (Pull Request)
+
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    secrets: inherit
+
+  run:
+    needs: build
+    uses: ./.github/workflows/integration-test.yml
+    secrets: inherit
diff --git a/.github/workflows/on-push-develop.yml b/.github/workflows/on-push-develop.yml
new file mode 100644
index 0000000..6df1f57
--- /dev/null
+++ b/.github/workflows/on-push-develop.yml
@@ -0,0 +1,23 @@
+---
+name: Publish Rolling Image (Push develop)
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches:
+      - develop
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    secrets: inherit
+
+  run:
+    needs: build
+    uses: ./.github/workflows/integration-test.yml
+    secrets: inherit
+
+  tag:
+    needs: run
+    uses: ./.github/workflows/dockerhub-rolling.yml
+    secrets: inherit
diff --git a/.github/workflows/on-push-latest.yml b/.github/workflows/on-push-latest.yml
new file mode 100644
index 0000000..484d051
--- /dev/null
+++ b/.github/workflows/on-push-latest.yml
@@ -0,0 +1,23 @@
+---
+name: Publish Latest Image (Push latest)
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches:
+      - latest
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    secrets: inherit
+
+  run:
+    needs: build
+    uses: ./.github/workflows/integration-test.yml
+    secrets: inherit
+
+  release:
+    needs: run
+    uses: ./.github/workflows/github-release.yml
+    secrets: inherit
diff --git a/.github/workflows/on-release-published.yml b/.github/workflows/on-release-published.yml
new file mode 100644
index 0000000..b6b734a
--- /dev/null
+++ b/.github/workflows/on-release-published.yml
@@ -0,0 +1,22 @@
+---
+name: Publish Latest Image (Release Published)
+
+# yamllint disable-line rule:truthy
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    secrets: inherit
+
+  run:
+    needs: build
+    uses: ./.github/workflows/integration-test.yml
+    secrets: inherit
+
+  tag:
+    needs: run
+    uses: ./.github/workflows/dockerhub-latest.yml
+    secrets: inherit
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 0b1ff83..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,84 +0,0 @@
----
-os: linux
-dist: focal
-language: shell
-services: docker
-
-env:
-  global:
-    - IMAGE_NAME: certhub/certhub
-    - IMAGE_VARIANT: certbot
-    - IMAGE_BUILD_ID: "${IMAGE_VARIANT}-travis-build-${TRAVIS_BUILD_ID}"
-    - DOCKER_USERNAME: certhubci
-    # travis encrypt DOCKER_PASSWORD=abcdefg[...]
-    - secure: "P5QKiF0f7djJQZHS4iDnfbv1Rub4GILlg3WtfF+379kqXVU//AOKFw6dZpSnnigdgxiOm49J0nZIhPHdVEE7NIL+InRodFPim01WadoZhsMX1ZZ2Q/C87oxl/iW/tN7ryagZQb8JzM6AeRytS6EMaaFtMVuro76tpCD2fRofLBPE4XGxdNObyRJ7L+arJ0/PAL2TPzoXBRRuDiWM2RM3STqxaPwx7Eaqak3SmghNZF97xwPs/cODdjc4gZSETIXRFLkKvVQehT84N5M7lwJq4MuJN/5mDT1TnoA2oWXSzf5sGVDPqG4LI0+Qc6xWBoM/qYce4hslRnQsDrNN1UBNRlcOOjwF56/rT7pMbPoB4hYPMf/RKjmlOc8dMQl3lSxzfUvYn6FoNVsuI8Nr1JmMfiODZzy0SR+jAg13UXuwvmBoGtP0PiwPtP7qyjBK2X4sEY/p1qhPXYe79YEkdeSN2H9pS3LOb7Eaczcor3v5C19Ze5cRg49C84CAqMnq0lAcL6+Qwq7c76eMKXmG3sJBx5srOsffHKHlHHiE0CBg2yykhf8QGx+DAzQPVmqAb3i3MEviFzEGt2O9ygW5tfYcOgDRiWPcEXzCKqV2O3To5sTDKgYZVjEIDlVL4kmSItVAdPcIJsqBb52KsKFIy0QNOiUCnwntapwHQJhrdHUMUBM="
-    # travis encrypt PRIVATE_SSH_KEY=$(printf %q "$(</path/to/ssh/private.key)")
-    - secure: "XlHLGINEH7gwhYoC4ATZR6dhLgJKbB5l5P1Z3/ABhZKVtyLHMiKgAmRhpv0czXVa31bff/TRfTdm3HYQoIrvRpVba5ONYEQj0i/oZmo+YlwnV/iVqHk9AQaaHZrXclU848KYsj+yQffHxT7h7xHKFa7IgCvLq62GOjUil9NPAR1LhjyVZPeanhjKgpuBYaYamy6B1BO7OkVOWf2UCQR+OHVF3VN1tUm3N3cOtuUTP21UXooUHGWGUsm4lAhOceC284CjRrD0lxLze5N/wyBIh/bFkKD9HNPt5Dvd4Irtjc15QiTwOklIRzyHBtOrU43YlOJmuXLCV7wAupA/M8Q1mMgqqMCTW2bBDOxdbNz9Sxve7TUnhQHX6aLGlu5kiE23cbELVBOB//Dw66drVkukKL1Nz8gcBKSxF123jgeWyADlw2j6iwIkL48vju7JUVqOi9t3hISulS0WsEjoXj3qHZJiQ/E9nRU6fVOW00l+LNonzwLuA0yplXfwjpdqjG5A1oqcP4gkRhTjYue89niS6igvCD89Pb6Rnp+3b7je2Whkr9cvzc28FbURMU1IzJja8tzjKYuWTqIaYlSLT8xoIjiDYkq0nsVYNRemgtQqbiFqTkapnPzU4T0B9A9p2X9EcWNpyhAVKIGpwuIQiu3GXOQxSbcjdjYy/Ej4xhO6NS8="
-    # travis encrypt PRIVATE_DIGITALOCEAN_TOKEN=abcdefg[...]
-    - secure: "s4gs9iBKdnznxNq4t7q23VEpPQrDdDFFeUiPV0ivWvNzA0x0TWsyBlp2zWia4LwQKsBeIAx2FYiqvbDzOBMEx4fgUBCixxCxS/Iyt85TdqyznRxBMAO1vkRW1fqZ6HWbWQooSpJXPZe5lHNwJw8vFes162a3qiseK/5X2DJTSCCNnN1VFDx9EdJcx9ZFfj+lg2ycmZIqwWfXt2o5htoSav+7C3j9tLIJkmNtFjPvebiIxZV1RvpMjuPx9Hu3lLdwwtHdoXqI05RegARg5yE02nm0KSQ5oB4aC4RlK6Sf+rv2R332VoMwydyhxjVj4d/3gkoaLk/85U/pYbc4bRf820ntR4Bv0KlxUFzSSy73hIdpomCAW4Xuzx5TAYnkF26FyEhHVvnGAIMbsB1UgmXKsfKTB5gVozCQVYCGhD/ontV2cGwrfu2z4KzxvYp2i0Hqvn1OPiMebwEhJYVhx7HlRKQ2oZY+zWL/KuQ3gv9D2lVf8CEARyDI1YRlOsS5xYKklOS1RPbz2gsGuegEvQN5L645ApSC6cccTAW4LnIFNSJIQ772INvwf3gNVtoKrff081BDBXaaeF04fqlG7eh3ateUgzqIA9V3HlLTDkXBpurnTBSGv1zjN0i6en2ZaFUS2/L9WMKZwoiBxqkzfwjc5Jw7mkywkDsrfRjgMThvKhw="
-    # travis encrypt GH_TOKEN=abcdefg[...]
-    - secure: "VLwNBnglmPxrPhnEXqU3zBMWjjeyvgJNH1RuMp3YV2HD2hamr2dfAZ3EFI9G4vUNkH9+T+yVg6dBnuPykXWizE0U7I9wCdd7p26gL2qS8Ii4px4uKDIYrS1iCS9jXekWCr3srUdUfYQbXEtcgjZ2cNETd6x5wsL5PAnFDrLD3nA/+tzIL3xCZPbgG8yoyoTUY5xH9si600TD+mkMFd7iDwc2bXKvIsK6wz9o4Z/uPWUrF8KcGkw3ODDADX8G1BqEvvz8fLCMntFokvBCCuSYLWFb2eZWpG2r6aRyaf1GkWAKIPNJHNlA+iVOCfpG0J1YBCpK3T+q9MgGAAhCXu4Q/9/saqOQV0dKzlBxDErCC4xt1nAskxM7LMIA/LL549Q76qkFYySigSJbfwoX8mcMLfDAqT7AMnszlcqLhUXHzxLcc3Ih4/O5Yll/4CZmaBgogNAZecNO/92hyOjRsB+7G45VQ7XnXnNwXdLodwAYt8GmaXOiYCL1NkJNHZ+uQF83yZE2dW4vCzxxunGPI8T3gl3s4t/GeZQOLk4Wp6v2qF4GSxJbkpq/Fslp5dVXtof9QwaxHIO1OZI0ONZfVSUnhDE0MWOuS3jLdRKCyolsL/9deyIqL32Zv9CMGlRV7dYe7NJxfUt/Q8GXiR9/OpWa8LW6qXI9HTce7SaHFTm7svI="
-
-stages:
-  - name: Build
-  - name: Integration test
-  - name: Dockerhub rolling
-    if: branch = develop AND type IN (push, cron)
-  - name: Github release
-    if: branch = latest AND type = push
-  - name: Dockerhub release
-    if: tag IS present
-
-before_script:
-  - docker --version
-  - echo "${DOCKER_PASSWORD}" | docker login -u "${DOCKER_USERNAME}" --password-stdin
-
-jobs:
-  include:
-    - stage: Build
-      script:
-        - >
-            docker build
-            --tag "${IMAGE_NAME}:${IMAGE_BUILD_ID}"
-            --build-arg build_log_label="Travis CI Build #${TRAVIS_BUILD_NUMBER}"
-            --build-arg build_log_url="${TRAVIS_BUILD_WEB_URL}"
-            .
-        - docker push "${IMAGE_NAME}:${IMAGE_BUILD_ID}"
-
-    - stage: Integration test
-      env:
-        - DOCKER_COMPOSE_ARGS: >
-            "
-            -f integration-test/docker-compose.yml
-            -f integration-test/docker-compose.travis.yml
-            -f integration-test/docker-compose.test-${IMAGE_VARIANT}.travis.yml
-            "
-      script:
-        - docker-compose ${DOCKER_COMPOSE_ARGS} build
-        - docker-compose ${DOCKER_COMPOSE_ARGS} run sut
-
-    - stage: Dockerhub rolling
-      script:
-        - docker pull "${IMAGE_NAME}:${IMAGE_BUILD_ID}"
-        - docker tag "${IMAGE_NAME}:${IMAGE_BUILD_ID}" "${IMAGE_NAME}:${IMAGE_VARIANT}-rolling"
-        - docker push "${IMAGE_NAME}:${IMAGE_VARIANT}-rolling"
-
-    - stage: Github release
-      script:
-        - nvm install lts/*
-        - npx semantic-release
-
-    - stage: Dockerhub release
-      script:
-        - export VERSION_PATCH="${TRAVIS_TAG#v}"
-        - export VERSION_MINOR="${VERSION_PATCH%.*}"
-        - export VERSION_MAJOR="${VERSION_MINOR%.*}"
-        - docker pull "${IMAGE_NAME}:${IMAGE_BUILD_ID}"
-        - docker tag "${IMAGE_NAME}:${IMAGE_BUILD_ID}" "${IMAGE_NAME}:${IMAGE_VARIANT}-${VERSION_PATCH}"
-        - docker tag "${IMAGE_NAME}:${IMAGE_BUILD_ID}" "${IMAGE_NAME}:${IMAGE_VARIANT}-${VERSION_MINOR}"
-        - docker tag "${IMAGE_NAME}:${IMAGE_BUILD_ID}" "${IMAGE_NAME}:${IMAGE_VARIANT}-${VERSION_MAJOR}"
-        - docker tag "${IMAGE_NAME}:${IMAGE_BUILD_ID}" "${IMAGE_NAME}:${IMAGE_VARIANT}"
-        - docker push "${IMAGE_NAME}:${IMAGE_VARIANT}-${VERSION_PATCH}"
-        - docker push "${IMAGE_NAME}:${IMAGE_VARIANT}-${VERSION_MINOR}"
-        - docker push "${IMAGE_NAME}:${IMAGE_VARIANT}-${VERSION_MAJOR}"
-        - docker push "${IMAGE_NAME}:${IMAGE_VARIANT}"
diff --git a/README.md b/README.md
index 9eba64d..85736a3 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 Official Certhub/Certbot Docker Image
 =====================================
 
-[![Build Status](https://travis-ci.org/certhub/certhub-certbot-docker.svg?branch=develop)](https://travis-ci.org/certhub/certhub-certbot-docker)
+[![Build Status](https://github.com/certhub/certhub-certbot-docker/actions/workflows/on-push-latest.yml/badge.svg?branch=latest)](https://github.com/certhub/certhub-certbot-docker/actions/workflows/on-push-latest.yml)
 
 
                             .oO'Oo.       .oO'Oo.
diff --git a/integration-test/docker-compose.github.yml b/integration-test/docker-compose.github.yml
new file mode 100644
index 0000000..b3357da
--- /dev/null
+++ b/integration-test/docker-compose.github.yml
@@ -0,0 +1,34 @@
+version: "3.4"
+
+services:
+    sut:
+        image: >-
+          ${IMAGE_NAME}:${IMAGE_BUILD_ID}
+        environment:
+          CERTHUB_MESSAGE_SUBJECT_ACTION: >-
+            Issue/renew by GH Build [#${GITHUB_RUN_NUMBER}](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID})
+          CERTHUB_CERT_PATH: >-
+            {WORKDIR}/${IMAGE_VARIANT}-docker-test.fullchain.pem
+          CERTHUB_CSR_PATH: >-
+            ${IMAGE_VARIANT}-docker-test.csr.pem
+          GAU_REPO: >-
+            git@github.com:certhub/certhub-scratch-certs.git
+          GAU_SSH_PRIVKEY: >-
+            ${PRIVATE_SSH_KEY}
+          GAU_SSH_KNOWNHOSTS: |
+            github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+          GIT_AUTHOR_NAME: >-
+            ${GITHUB_ACTOR}
+          GIT_AUTHOR_EMAIL: >-
+            ${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com
+          GIT_COMMITTER_NAME: >-
+            ${GITHUB_ACTOR}
+          GIT_COMMITTER_EMAIL: >-
+            ${GITHUB_ACTOR}@users.noreply.github.com
+
+    config:
+        environment:
+          CONFIG_CSR_PATH: >-
+            ${IMAGE_VARIANT}-docker-test.csr.pem
+          CONFIG_CERT_CN: >-
+            ${IMAGE_VARIANT}-docker-test--gh-build-${GITHUB_RUN_ID}.ci.certhub.io
diff --git a/integration-test/docker-compose.test-certbot.github.yml b/integration-test/docker-compose.test-certbot.github.yml
new file mode 100644
index 0000000..54d9f5a
--- /dev/null
+++ b/integration-test/docker-compose.test-certbot.github.yml
@@ -0,0 +1,38 @@
+version: "3.4"
+
+services:
+    sut:
+        command: /test/test-certbot.sh
+        environment:
+          CERTHUB_CERTBOT_CONFIG: >-
+            certbot.ini
+          CERTHUB_CERTBOT_ARGS: ""
+          CERTHUB_LEXICON_GLOBAL_ARGS: >-
+            --delegated ci.certhub.io
+          CERTHUB_LEXICON_PROVIDER: >-
+            digitalocean
+          LEXICON_DIGITALOCEAN_TOKEN: >-
+            ${PRIVATE_DIGITALOCEAN_TOKEN}
+          # Account setup via certhub-docker-entry script
+          # https://certhub.readthedocs.io/en/latest/certhub-docker-entry.8.html#environment-certbot
+          CERTHUB_CERTBOT_ACCOUNT_KEY: >-
+            ${PRIVATE_CERTBOT_ACCOUNT_KEY}
+          CERTHUB_CERTBOT_ACCOUNT_REGR: >-
+            {
+              "body": {},
+              "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/128042814"
+            }
+          CERTHUB_CERTBOT_ACCOUNT_META: >-
+            {
+              "creation_dt": "2023-12-06T20:48:18Z",
+              "creation_host": "localhost"
+            }
+          CERTHUB_CERTBOT_ACCOUNT_ID: >-
+            32062752e4a4e45ef145c29ecfd067f4
+          CERTHUB_CERTBOT_ACCOUNT_SERVER: >-
+            https://acme-staging-v02.api.letsencrypt.org/directory
+
+    config:
+        command: /test/config-setup-certbot.sh
+        environment:
+          CONFIG_CERTBOT_INI_PATH: certbot.ini