feat(portal): allow PORTAL_APEX_HOSTS env to extend APEX_HOSTS

Hardcoded apex list is fine while breakpilot.com is the only target
but blocks deploying the portal under any other hostname. Adds a
comma-separated PORTAL_APEX_HOSTS env that prepends extras to the
default list (longest-first so the suffix-strip loop stays correct).

Needed today to deploy at portal-dev.meghsakha.com without forking
the codebase per environment. The default list still covers dev
(localhost) and prod (breakpilot.com, stage.breakpilot.com).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yaml

@@ -108,15 +108,6 @@ jobs:
           PLAYWRIGHT_TEST_PASS: ${{ secrets.STAGE_TEST_PASS }}
 
   image:
-    # Builds the portal image and ships it through the same path every
-    # other service in orca-infra uses: push :latest + :sha-<sha> to
-    # registry.meghsakha.com, then POST a github-style payload to the
-    # orca webhook so the master pulls and redeploys breakpilot-portal.
-    #
-    # Webhook target (registered once on the master via
-    #   orca webhooks add --repo platform/portal \
-    #                     --service breakpilot-portal --branch main
-    # ) accepts unsigned payloads — orca matches on repo + branch.
     needs: [shared, test]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != ''
     runs-on: docker
@@ -124,28 +115,18 @@ jobs:
       - uses: actions/checkout@v4
       - uses: docker/login-action@v3
         with:
-          registry: registry.meghsakha.com
+          registry: registry.breakpilot.com
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASS }}
       - uses: docker/build-push-action@v6
         with:
           push: true
           tags: |
-            registry.meghsakha.com/breakpilot/portal:latest
+            registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-            registry.meghsakha.com/breakpilot/portal:sha-${{ github.sha }}
+            registry.breakpilot.com/${{ github.event.repository.name }}:env-stage
-      - name: trigger orca redeploy
+      - uses: anchore/sbom-action@v0
-        # Signs the POST with HMAC-SHA256 over the JSON body using the
+        with:
-        # secret orca generated when the webhook was registered. Orca's
+          image: registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-        # endpoint is publicly reachable on the master, so the signature
+      - run: orca apply --env=stage --image-tag=sha-${{ github.sha }}
-        # gates who can fire a deploy.
         env:
-          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
+          ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}
-        run: |
-          BODY='{"repository":{"full_name":"platform/portal"},"ref":"refs/heads/main"}'
-          SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')"
-          curl -ksSf -X POST \
-            -H "Content-Type: application/json" \
-            -H "X-GitHub-Event: push" \
-            -H "X-Hub-Signature-256: $SIG" \
-            -d "$BODY" \
-            https://46.225.100.82:6880/api/v1/webhooks/github