Add CI and deploy workflows for Gitea Actions

CI runs ruff and eslint/tsc on push to develop and PRs. Deploy
workflow is manual (workflow_dispatch) and builds, pushes, and
deploys images to Unraid via SSH.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.beans/nuzlocke-tracker-jlzs--implement-gitea-actions-cicd-pipeline.md

@@ -1,10 +1,11 @@
 ---
 # nuzlocke-tracker-jlzs
 title: Implement Gitea Actions CI/CD pipeline
-status: draft
+status: in-progress
 type: task
+priority: normal
 created_at: 2026-02-10T09:38:15Z
-updated_at: 2026-02-10T09:38:15Z
+updated_at: 2026-02-10T11:12:32Z
 parent: nuzlocke-tracker-ahza
 ---
 
@@ -14,15 +15,15 @@ Set up Gitea Actions as the CI/CD pipeline for the nuzlocke-tracker. Gitea Actio
 
 - Gitea is already running on Unraid behind Nginx Proxy Manager (`gitea.nerdboden.de`)
 - Images are currently built locally and pushed to the Gitea container registry via `deploy.sh`
-- Gitea Actions can automate building, pushing images, and triggering deployment on push to `main`
+- A Gitea Actions runner is already deployed on Unraid and connected to the Gitea instance
 - The workflow syntax is compatible with GitHub Actions, so the same `.github/workflows/` files work on both platforms
 
 ## Checklist
 
-- [ ] **Enable Gitea Actions on the Gitea instance** — ensure the Actions feature is enabled in `app.ini` (`[actions] ENABLED = true`) and restart Gitea
+- [x] **Enable Gitea Actions on the Gitea instance** — Actions feature is enabled and runner is connected
-- [ ] **Set up a Gitea Actions runner** — deploy an `act_runner` container on Unraid (or the same host as Gitea), register it with the Gitea instance, and verify it picks up jobs
+- [x] **Set up a Gitea Actions runner** — `act_runner` is deployed on Unraid and registered with Gitea
-- [ ] **Create CI workflow** (`.github/workflows/ci.yml`) — on push to `develop` and PRs: lint, run tests (backend + frontend), and report status
+- [x] **Create CI workflow** (`.github/workflows/ci.yml`) — on push to `develop` and PRs: run `ruff check` + `ruff format --check` for backend, `eslint` + `tsc` for frontend. Tests can be added later when they exist.
-- [ ] **Create deploy workflow** (`.github/workflows/deploy.yml`) — on push to `main`: build Docker images (linux/amd64), push to the Gitea container registry, and trigger redeployment on Unraid via SSH
+- [x] **Create deploy workflow** (`.github/workflows/deploy.yml`) — triggered via `workflow_dispatch` on `main`: build Docker images (linux/amd64), push to the Gitea container registry, deploy to Unraid via SSH (`docker compose pull && docker compose up -d`)
-- [ ] **Configure secrets in Gitea** — add repository or org-level secrets for registry credentials, SSH key/host for deployment, and any other sensitive values the workflows need
+- [ ] **Configure secrets in Gitea** — generate a new SSH keypair, add the public key to Unraid root user's `authorized_keys`, add the private key as a Gitea repo secret (`DEPLOY_SSH_KEY`). Also add any registry credentials or other sensitive values the workflows need.
-- [ ] **Test the full pipeline** — push a change through `feature/*` → `develop` → `main` and verify the CI and deploy workflows run successfully end-to-end
+- [ ] **Test the full pipeline** — push a change through `feature/*` → `develop` (verify CI runs), then merge `develop` → `main` and trigger the deploy workflow via `workflow_dispatch` to verify end-to-end
 - [ ] **Update deployment docs** — document the Gitea Actions setup, how to manage the runner, and how CI/CD fits into the deployment workflow

.github/workflows/ci.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  push:
+    branches: [develop]
+  pull_request:
+    branches: [develop]
+
+jobs:
+  backend-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install ruff
+      - name: Check linting
+        run: ruff check backend/
+      - name: Check formatting
+        run: ruff format --check backend/
+
+  frontend-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+      - name: Install dependencies
+        run: npm ci
+        working-directory: frontend
+      - name: Lint
+        run: npm run lint
+        working-directory: frontend
+      - name: Type check
+        run: npx tsc -b
+        working-directory: frontend

.github/workflows/deploy.yml

@@ -0,0 +1,42 @@
+name: Deploy
+
+on:
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to Gitea registry
+        run: echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login gitea.nerdboden.de -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
+
+      - name: Build and push API image
+        run: |
+          docker build --platform linux/amd64 \
+            -t gitea.nerdboden.de/thefurya/nuzlocke-tracker-api:latest \
+            -f backend/Dockerfile.prod ./backend
+          docker push gitea.nerdboden.de/thefurya/nuzlocke-tracker-api:latest
+
+      - name: Build and push frontend image
+        run: |
+          docker build --platform linux/amd64 \
+            -t gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest \
+            -f frontend/Dockerfile.prod ./frontend
+          docker push gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest
+
+      - name: Deploy to Unraid
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          SSH_CMD="ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key root@192.168.1.10"
+          SCP_CMD="scp -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key"
+          DEPLOY_DIR="/mnt/user/appdata/nuzlocke-tracker"
+
+          $SCP_CMD docker-compose.prod.yml "root@192.168.1.10:${DEPLOY_DIR}/docker-compose.yml"
+          $SCP_CMD backup.sh "root@192.168.1.10:${DEPLOY_DIR}/backup.sh"
+          $SSH_CMD "chmod +x '${DEPLOY_DIR}/backup.sh'"
+          $SSH_CMD "cd '${DEPLOY_DIR}' && docker compose pull && docker compose up -d"