ci(portal): sign orca webhook POST with HMAC-SHA256

When `orca webhooks add` registers a webhook it generates a signing
secret by default; orca then requires X-Hub-Signature-256 on inbound
POSTs (the public master at :6880 means anyone could otherwise fire
a deploy by crafting the JSON body).

Adds the signing step using the standard github-shaped header. The
secret is consumed from a new Gitea Actions secret ORCA_WEBHOOK_SECRET
on this repo — value provided out-of-band from the master.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yaml

@@ -134,9 +134,18 @@ jobs:
             registry.meghsakha.com/breakpilot/portal:latest
             registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }}
       - name: trigger orca redeploy
+        # Signs the POST with HMAC-SHA256 over the JSON body using the
+        # secret orca generated when the webhook was registered. Orca's
+        # endpoint is publicly reachable on the master, so the signature
+        # gates who can fire a deploy.
+        env:
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
         run: |
+          BODY='{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}'
+          SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')"
           curl -ksSf -X POST \
             -H "Content-Type: application/json" \
             -H "X-GitHub-Event: push" \
-            -d '{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}' \
+            -H "X-Hub-Signature-256: $SIG" \
+            -d "$BODY" \
             https://46.225.100.82:6880/api/v1/webhooks/github