ci(tenant-registry): retarget image build to registry.meghsakha.com + orca webhook

Mirrors the portal CI pattern (platform/portal #14). Previous workflow
pushed to a future-prod registry that doesn't exist, then called an orca
CLI shape this version doesn't ship.

- Registry: registry.meghsakha.com
- Image path: breakpilot/tenant-registry
- Tags: :latest (webhook deploy) + :sha-<sha> (traceability)
- Webhook: HMAC-signed POST to the orca master

One-time setup before this can deploy:
1. Add Gitea Actions secrets to this repo: REGISTRY_USER, REGISTRY_PASS, ORCA_WEBHOOK_SECRET
2. On the orca master:
   orca webhooks add --repo platform/tenant-registry \
                     --service breakpilot-tenant-registry --branch main

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/ci.yaml

@@ -93,30 +93,35 @@ jobs:
         run: go build ./...
 
   image:
+    # Mirrors the portal CI pattern (platform/portal PR #14): push to
+    # registry.meghsakha.com, then POST a github-style payload signed
+    # with HMAC-SHA256 to the orca webhook on the master. Master matches
+    # on repo+branch and redeploys the breakpilot-tenant-registry service.
     needs: [shared, test]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != ''
     runs-on: docker
     steps:
       - uses: actions/checkout@v4
-
       - uses: docker/login-action@v3
         with:
-          registry: registry.breakpilot.com
+          registry: registry.meghsakha.com
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_PASS }}
-
       - uses: docker/build-push-action@v6
         with:
           push: true
           tags: |
-            registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-            registry.breakpilot.com/${{ github.event.repository.name }}:env-stage
-
-      - uses: anchore/sbom-action@v0
-        with:
-          image: registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
-
-      - name: orca deploy stage
-        run: orca apply --env=stage --image-tag=sha-${{ github.sha }}
+            registry.meghsakha.com/breakpilot/tenant-registry:latest
+            registry.meghsakha.com/breakpilot/tenant-registry:sha-${{ github.sha }}
+      - name: trigger orca redeploy
         env:
-          ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}
+          ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }}
+        run: |
+          BODY='{"repository":{"full_name":"platform/tenant-registry"},"ref":"refs/heads/main"}'
+          SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')"
+          curl -ksSf -X POST \
+            -H "Content-Type: application/json" \
+            -H "X-GitHub-Event: push" \
+            -H "X-Hub-Signature-256: $SIG" \
+            -d "$BODY" \
+            https://46.225.100.82:6880/api/v1/webhooks/github