ci: migrate to Portainer Git stack + registry-pushed images

- Compose: build → image (Gitea registry ci namespace) for backend + frontend
- Workflow: build + push both + POST Portainer webhook (3-attempt retry)
- Drop docker compose up on host
- Add crowdsec@file to middlewares chain

Repo secrets required: REGISTRY_TOKEN, PORTAINER_WEBHOOK_URL.
Rollback branch: pre-portainer-migration.

.gitea/workflows/deploy.yml

@@ -1,27 +1,11 @@
-# ──────────────────────────────────────────────────────────────────────────────
 # Flight Radar — Gitea Actions CI/CD
 #
-# PREREQUISITES (one-time setup — see README for full instructions):
+# Build backend + frontend images, push to Gitea registry, trigger Portainer
+# redeploy via webhook. Stack managed by Portainer (type=git).
 #
-#   1. Add the act_runner service to your Gitea Portainer stack.
-#
-#   2. Pre-create the runner config file on the host:
-#      /srv/docker/traefik/stacks/gitea/volumes/act_runner/config.yaml
-#      (see content in the README / deployment docs)
-#
-#   3. Start the runner, then grab the registration token from:
-#      Gitea → Site Administration → Runners → Create Runner
-#      Add ACT_RUNNER_TOKEN to Portainer stack environment variables.
-#
-#   4. Give the runner access to Docker (socket mounted via config.yaml).
-#
-# PIPELINE BEHAVIOUR:
-#   • Triggers on every push to the default branch (main).
-#   • Builds both Docker images on the server (no registry needed).
-#   • Brings the app up with docker compose; only changed services restart.
-#   • If the build fails the old containers keep running — no downtime.
-#   • Prunes dangling images after a successful deploy.
-# ──────────────────────────────────────────────────────────────────────────────
+# Repo secrets required:
+#   REGISTRY_TOKEN         ci user token, scope write:package
+#   PORTAINER_WEBHOOK_URL  POST URL from Portainer stack auto-update setting
 
 name: Deploy
 
@@ -29,25 +13,48 @@ on:
   push:
     branches:
       - main
-  workflow_dispatch:    
+  workflow_dispatch:
+
 env:
-  COMPOSE_PROJECT: flight-radar
-  COMPOSE_FILE: flight-comparator/docker-compose.yml
+  BACKEND_IMAGE: git.domverse-berlin.eu/ci/ciaovolo/backend
+  FRONTEND_IMAGE: git.domverse-berlin.eu/ci/ciaovolo/frontend
+  CONTEXT: flight-comparator
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest   # resolved to catthehacker/ubuntu:act-22.04 by runner config
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Deploy with docker compose
+      - name: Login to Gitea registry
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.domverse-berlin.eu -u ci --password-stdin
+
+      - name: Build and push backend
         run: |
-          echo "=== Deploying commit ${{ gitea.sha }} to ${{ gitea.ref_name }} ==="
-          docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" up --build -d --remove-orphans
+          docker build -f "$CONTEXT/Dockerfile.backend" \
+            -t "$BACKEND_IMAGE:latest" -t "$BACKEND_IMAGE:${{ gitea.sha }}" \
+            "$CONTEXT"
+          docker push "$BACKEND_IMAGE:latest"
+          docker push "$BACKEND_IMAGE:${{ gitea.sha }}"
+
+      - name: Build and push frontend
+        run: |
+          docker build -f "$CONTEXT/Dockerfile.frontend" \
+            -t "$FRONTEND_IMAGE:latest" -t "$FRONTEND_IMAGE:${{ gitea.sha }}" \
+            "$CONTEXT"
+          docker push "$FRONTEND_IMAGE:latest"
+          docker push "$FRONTEND_IMAGE:${{ gitea.sha }}"
+
+      - name: Trigger Portainer redeploy (retry on transient pull-lease failure)
+        run: |
+          for i in 1 2 3; do
+            code=$(curl -sk -X POST -o /dev/null -w '%{http_code}' "${{ secrets.PORTAINER_WEBHOOK_URL }}")
+            echo "attempt $i -> $code"
+            [ "$code" = "204" ] && exit 0
+            sleep 5
+          done
+          exit 1
 
       - name: Prune dangling images
         run: docker image prune -f
-
-      - name: Show running containers
-        run: docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" ps