feat(deploy): add GHCR deployment workflows with image-based promotion [AYG-73]

Replace legacy self-hosted Docker Compose deploy workflows with GHCR-based
CI/CD pipeline. Staging builds and pushes to GHCR on every push to main.
Production promotes the exact staging image by re-tagging (no rebuild),
guaranteeing identical binaries across environments.

Key changes:
- deploy-staging.yml: ubuntu-latest, docker/build-push-action, SHA+staging tags,
  concurrency with cancel-in-progress, 5 pluggable deploy blocks
- deploy-production.yml: image promotion (pull→re-tag→push), semver+latest tags,
  concurrency without cancel-in-progress, 5 pluggable deploy blocks
- .env.example: added Deployment (CI/CD) section with platform secret placeholders
- README.md: rewritten with full deployment docs (environment model, GHCR tagging,
  staging/production flows, rollback, pre-production checklist, Supabase migrations)
- docs/deployment/ci-pipeline.md: updated staging/production sections, secrets tables,
  self-hosted runners now optional
- docs/deployment/environments.md: updated deploy processes, rollback procedures,
  health check URLs, platform-specific secrets

Pluggable deploy targets: Railway, Alibaba Cloud (ACR+ECS), Google Cloud Run,
Fly.io, Self-hosted (Docker Compose via SSH).

Fixes AYG-73
Related to AYG-64

🤖 Generated by Aygentic

Co-Authored-By: Aygentic <noreply@aygentic.com>

Author: amostt

.env.example

@@ -40,3 +40,18 @@ DOCKER_IMAGE_FRONTEND=frontend
 SENTRY_DSN=
 # GIT_COMMIT=                  # Set automatically by CI (git commit SHA)
 # BUILD_TIME=                  # Set automatically by CI (build timestamp)
+
+# ─── Deployment (CI/CD) ─────────────────────────────────────────────────────
+# These variables are used by GitHub Actions deployment workflows.
+# GHCR authentication uses GITHUB_TOKEN (automatic in GitHub Actions).
+#
+# Platform-specific deploy tokens (uncomment one for your platform):
+# RAILWAY_TOKEN=               # Railway deploy token
+# RAILWAY_SERVICE_ID_STAGING=  # Railway service ID for staging
+# RAILWAY_SERVICE_ID_PRODUCTION= # Railway service ID for production
+# GCP_SA_KEY=                  # Google Cloud service account key (JSON)
+# GCP_SERVICE_NAME=            # Google Cloud Run service name
+# FLY_API_TOKEN=               # Fly.io API token
+# DEPLOY_HOST=                 # Self-hosted: SSH host for deployment
+# ALIBABA_ACCESS_KEY=          # Alibaba Cloud access key
+# ALIBABA_SECRET_KEY=          # Alibaba Cloud secret key

.github/workflows/deploy-production.yml

@@ -2,29 +2,90 @@ name: Deploy to Production
 
 on:
   release:
-    types:
-      - published
+    types: [published]
+
+concurrency:
+  group: deploy-production
+  cancel-in-progress: false
 
 jobs:
   deploy:
-    if: github.repository_owner != 'fastapi'
-    runs-on:
-      - self-hosted
-      - production
-    env:
-      ENVIRONMENT: production
-      DOMAIN: ${{ secrets.DOMAIN_PRODUCTION }}
-      STACK_NAME: ${{ secrets.STACK_NAME_PRODUCTION }}
-      SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
-      SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
-      CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
-      BACKEND_CORS_ORIGINS: ${{ secrets.BACKEND_CORS_ORIGINS }}
-      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      SERVICE_NAME: ${{ secrets.SERVICE_NAME }}
-      DOCKER_IMAGE_BACKEND: ${{ secrets.DOCKER_IMAGE_BACKEND }}
-      DOCKER_IMAGE_FRONTEND: ${{ secrets.DOCKER_IMAGE_FRONTEND }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6
-      - run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} build
-      - run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_PRODUCTION }} up -d
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify staging image exists in GHCR
+        env:
+          IMAGE: ghcr.io/${{ github.repository }}/backend:${{ github.sha }}
+        run: |
+          docker manifest inspect "${IMAGE}" > /dev/null || \
+            (echo "ERROR: Staging image not found for SHA ${{ github.sha }}. Ensure the staging deploy completed before publishing a release." && exit 1)
+
+      - name: Promote staging image to production (re-tag, no rebuild)
+        env:
+          REPO: ${{ github.repository }}
+          SHA: ${{ github.sha }}
+          TAG_NAME: ${{ github.event.release.tag_name }}
+        run: |
+          # Pull the exact image built and validated in the staging pipeline
+          docker pull "ghcr.io/${REPO}/backend:${SHA}"
+
+          # Re-tag as version and latest
+          docker tag "ghcr.io/${REPO}/backend:${SHA}" \
+            "ghcr.io/${REPO}/backend:${TAG_NAME}"
+          docker tag "ghcr.io/${REPO}/backend:${SHA}" \
+            "ghcr.io/${REPO}/backend:latest"
+
+          # Push version and latest tags
+          docker push "ghcr.io/${REPO}/backend:${TAG_NAME}"
+          docker push "ghcr.io/${REPO}/backend:latest"
+
+      # --- PLUGGABLE DEPLOY STEP ---
+      # Uncomment ONE of the following blocks for your platform.
+      # Use ${{ github.event.release.tag_name }} as the production image tag.
+      # The image is identical to what was validated on staging — no rebuild.
+
+      # --- Railway ---
+      # - name: Deploy to Railway
+      #   run: railway up --service ${{ secrets.RAILWAY_SERVICE_ID_PRODUCTION }}
+      #   env:
+      #     RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
+
+      # --- Alibaba Cloud (ACR + ECS) ---
+      # - name: Push to Alibaba Cloud ACR
+      #   run: |
+      #     docker tag ghcr.io/${{ github.repository }}/backend:${{ github.event.release.tag_name }} \
+      #       registry.{region}.aliyuncs.com/{namespace}/{service}:${{ github.event.release.tag_name }}
+      #     docker push registry.{region}.aliyuncs.com/{namespace}/{service}:${{ github.event.release.tag_name }}
+      # - name: Deploy to ECS
+      #   run: aliyun ecs ... # Update ECS service with new image
+
+      # --- Google Cloud Run ---
+      # - name: Deploy to Cloud Run
+      #   uses: google-github-actions/deploy-cloudrun@v2
+      #   with:
+      #     service: ${{ secrets.GCP_SERVICE_NAME }}
+      #     image: ghcr.io/${{ github.repository }}/backend:${{ github.event.release.tag_name }}
+
+      # --- Fly.io ---
+      # - name: Deploy to Fly.io
+      #   uses: superfly/flyctl-actions/setup-flyctl@main
+      # - run: flyctl deploy --image ghcr.io/${{ github.repository }}/backend:${{ github.event.release.tag_name }}
+      #   env:
+      #     FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+
+      # --- Self-hosted (Docker Compose via SSH) ---
+      # - name: Deploy via SSH
+      #   run: |
+      #     ssh ${{ secrets.DEPLOY_HOST }} "docker pull ghcr.io/${{ github.repository }}/backend:${{ github.event.release.tag_name }} && docker compose up -d"

.github/workflows/deploy-staging.yml

@@ -2,29 +2,76 @@ name: Deploy to Staging
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
+
+concurrency:
+  group: deploy-staging
+  cancel-in-progress: true
 
 jobs:
   deploy:
-    if: github.repository_owner != 'fastapi'
-    runs-on:
-      - self-hosted
-      - staging
-    env:
-      ENVIRONMENT: staging
-      DOMAIN: ${{ secrets.DOMAIN_STAGING }}
-      STACK_NAME: ${{ secrets.STACK_NAME_STAGING }}
-      SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
-      SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
-      CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
-      BACKEND_CORS_ORIGINS: ${{ secrets.BACKEND_CORS_ORIGINS }}
-      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
-      SERVICE_NAME: ${{ secrets.SERVICE_NAME }}
-      DOCKER_IMAGE_BACKEND: ${{ secrets.DOCKER_IMAGE_BACKEND }}
-      DOCKER_IMAGE_FRONTEND: ${{ secrets.DOCKER_IMAGE_FRONTEND }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v6
-      - run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} build
-      - run: docker compose -f compose.yml --project-name ${{ secrets.STACK_NAME_STAGING }} up -d
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: backend/Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}/backend:${{ github.sha }}
+            ghcr.io/${{ github.repository }}/backend:staging
+          build-args: |
+            GIT_COMMIT=${{ github.sha }}
+            BUILD_TIME=${{ github.event.head_commit.timestamp }}
+
+      # --- PLUGGABLE DEPLOY STEP ---
+      # Uncomment ONE of the following blocks for your platform:
+
+      # --- Railway ---
+      # - name: Deploy to Railway
+      #   run: railway up --service ${{ secrets.RAILWAY_SERVICE_ID_STAGING }}
+      #   env:
+      #     RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
+
+      # --- Alibaba Cloud (ACR + ECS) ---
+      # - name: Push to Alibaba Cloud ACR
+      #   run: |
+      #     docker tag ghcr.io/${{ github.repository }}/backend:${{ github.sha }} \
+      #       registry.{region}.aliyuncs.com/{namespace}/{service}:${{ github.sha }}
+      #     docker push registry.{region}.aliyuncs.com/{namespace}/{service}:${{ github.sha }}
+      # - name: Deploy to ECS
+      #   run: aliyun ecs ... # Update ECS service with new image
+
+      # --- Google Cloud Run ---
+      # - name: Deploy to Cloud Run
+      #   uses: google-github-actions/deploy-cloudrun@v2
+      #   with:
+      #     service: ${{ secrets.GCP_SERVICE_NAME }}
+      #     image: ghcr.io/${{ github.repository }}/backend:${{ github.sha }}
+
+      # --- Fly.io ---
+      # - name: Deploy to Fly.io
+      #   uses: superfly/flyctl-actions/setup-flyctl@main
+      # - run: flyctl deploy --image ghcr.io/${{ github.repository }}/backend:${{ github.sha }}
+      #   env:
+      #     FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+
+      # --- Self-hosted (Docker Compose via SSH) ---
+      # - name: Deploy via SSH
+      #   run: |
+      #     ssh ${{ secrets.DEPLOY_HOST }} "docker pull ghcr.io/${{ github.repository }}/backend:${{ github.sha }} && docker compose up -d"