Merge feature/gitea-cicd: Gitea Actions CI/CD pipeline

Adds a workflow that triggers on push to main: builds backend/frontend
Docker images, pushes to Gitea container registry, pulls and restarts
on the host, health checks, prunes old images, and sends ntfy notifications.
docker-compose.yaml updated to pull pre-built images from registry and
includes act_runner as a 4th service.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -0,0 +1,82 @@
+name: Build and Deploy UMBRA
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+
+      - name: Login to Gitea Container Registry
+        uses: https://github.com/docker/login-action@v3
+        with:
+          registry: ${{ vars.REGISTRY_HOST }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and push backend
+        uses: https://github.com/docker/build-push-action@v5
+        with:
+          context: ./backend
+          push: true
+          tags: |
+            ${{ vars.REGISTRY_HOST }}/rohskiddo/umbra-backend:main-latest
+            ${{ vars.REGISTRY_HOST }}/rohskiddo/umbra-backend:${{ github.sha }}
+
+      - name: Build and push frontend
+        uses: https://github.com/docker/build-push-action@v5
+        with:
+          context: ./frontend
+          push: true
+          tags: |
+            ${{ vars.REGISTRY_HOST }}/rohskiddo/umbra-frontend:main-latest
+            ${{ vars.REGISTRY_HOST }}/rohskiddo/umbra-frontend:${{ github.sha }}
+
+      - name: Pull new images
+        run: |
+          cd /opt/umbra
+          docker compose pull backend frontend
+
+      - name: Deploy
+        run: |
+          cd /opt/umbra
+          docker compose up -d
+
+      - name: Health check
+        run: |
+          echo "Waiting for services to start..."
+          sleep 10
+          curl -f http://localhost/health || exit 1
+
+      - name: Prune old images
+        if: success()
+        run: docker image prune -f
+
+      - name: Notify success
+        if: success()
+        run: |
+          curl -s \
+            -H "Title: UMBRA Deploy Success" \
+            -H "Tags: white_check_mark" \
+            --data-binary @- https://ntfy.ghost6.xyz/claude <<'NTFY_EOF'
+          Build ${{ github.sha }} deployed successfully to umbra.ghost6.xyz.
+          Triggered by push to main.
+          NTFY_EOF
+
+      - name: Notify failure
+        if: failure()
+        run: |
+          curl -s \
+            -H "Title: UMBRA Deploy FAILED" \
+            -H "Tags: fire" \
+            -H "Priority: high" \
+            --data-binary @- https://ntfy.ghost6.xyz/claude <<'NTFY_EOF'
+          Deploy failed for commit ${{ github.sha }}.
+          Check Gitea Actions logs at git.sentinelforest.xyz.
+          NTFY_EOF

docker-compose.yaml

@@ -19,7 +19,7 @@ services:
           cpus: "1.0"
 
   backend:
-    build: ./backend
+    image: git.sentinelforest.xyz/rohskiddo/umbra-backend:main-latest
     restart: unless-stopped
     env_file: .env
     depends_on:
@@ -41,7 +41,7 @@ services:
           cpus: "1.0"
 
   frontend:
-    build: ./frontend
+    image: git.sentinelforest.xyz/rohskiddo/umbra-frontend:main-latest
     restart: unless-stopped
     ports:
       - "80:8080"
@@ -61,8 +61,26 @@ services:
           memory: 128M
           cpus: "0.5"
 
+  act_runner:
+    image: gitea/act_runner:latest
+    restart: unless-stopped
+    volumes:
+      - act_runner_data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - GITEA_INSTANCE_URL=https://git.sentinelforest.xyz
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
+      - GITEA_RUNNER_NAME=umbra-runner
+      - GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bookworm
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+          cpus: "1.0"
+
 volumes:
   postgres_data:
+  act_runner_data:
 
 networks:
   backend_net: