v1.6.0: Docker, docker-compose, Forgejo CI/CD и откат по тегу

- Dockerfile + entrypoint (alembic + uvicorn), compose с healthcheck
- .gitea/workflows: ci (pytest), deploy (SSH + compose по тегу v*)
- docs/CICD.md: секреты, pvestandt9, ручной откат через workflow_dispatch

Made-with: Cursor

.gitea/workflows/deploy.yml

@@ -0,0 +1,48 @@
+# Деплой на сервер по SSH после пуша тега v* или вручную (в т.ч. откат на старый тег).
+name: Deploy
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Git ref (тег для релиза или отката, напр. v1.5.0 или v1.4.1)"
+        required: true
+        default: "main"
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Определить ревизию
+        id: pick
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "ref=${{ inputs.ref }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "ref=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: SSH — fetch, checkout, docker compose
+        uses: appleboy/ssh-action@v1.2.0
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_SSH_KEY }}
+          script_stop: true
+          command_timeout: 20m
+          script: |
+            set -euo pipefail
+            cd "${{ secrets.DEPLOY_PATH }}"
+            git fetch origin --tags --prune
+            git checkout "${{ steps.pick.outputs.ref }}"
+            if git show-ref --verify --quiet "refs/remotes/origin/${{ steps.pick.outputs.ref }}"; then
+              git reset --hard "origin/${{ steps.pick.outputs.ref }}"
+            else
+              git reset --hard "${{ steps.pick.outputs.ref }}"
+            fi
+            docker compose build
+            docker compose up -d
+            docker compose ps