ci: replace coolify webhook with orca deploy

Build and push image to registry, then trigger orca redeploy via
HMAC-signed webhook. Coolify webhook is no longer the source of truth.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -262,10 +262,28 @@ jobs:
     needs: [test]
     if: github.ref == 'refs/heads/main'
     container:
-      image: alpine:latest
+      image: docker:27-cli
     steps:
-      - name: Trigger Coolify deploy
+      - name: Checkout
         run: |
-          apk add --no-cache curl
+          apk add --no-cache git curl
-          curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \
+          git init
-            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
+          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+      - name: Build and push image
+        run: |
+          IMAGE=registry.meghsakha.com/certifai-dashboard
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | \
+            docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+          docker build -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
+          docker push "$IMAGE:latest"
+          docker push "$IMAGE:${GITHUB_SHA}"
+      - name: Trigger orca redeploy
+        run: |
+          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/certifai"},"head_commit":{"id":"%s","message":"CI deploy"}}' "${GITHUB_SHA}")
+          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
+          curl -fsS -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" \
+            -H "Content-Type: application/json" \
+            -H "X-Hub-Signature-256: sha256=$SIG" \
+            -d "$PAYLOAD"