ci(deploy): build + push image on Gitea, ssh-deploy to netcup

Adds .gitea/workflows/{ci,deploy}.yml. Both jobs run inside the
custom git.librete.ch/libretech/runner-image:v1 image. CI on every
push runs npm test + a sanity build with placeholder VITE_*. The
deploy workflow (gated on vars.DEPLOY_ENABLED) builds the
multi-stage Vite + nginx Dockerfile, pushes to
git.librete.ch/libretech/code-crispies (main → :main + :sha-<short>;
tag → :<tag> + :latest), and ssh-deploys the netcup stack with
'docker compose pull && up -d'.

compose.yaml gains an opt-in image-pull mode: CC_IMAGE pins the
published tag in production (set in /srv/cc/.env), while the dev
shell falls through to a local build when CC_IMAGE is unset.

Replaces the legacy github-pages workflow at .github/workflows/main.yml
which targeted GitHub Pages, not the netcup deployment.

.gitea/workflows/ci.yml

@@ -0,0 +1,37 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    container:
+      image: git.librete.ch/libretech/runner-image:v1
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Cache npm
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: npm-${{ hashFiles('package-lock.json') }}
+          restore-keys: npm-
+
+      - name: Install
+        run: npm ci --no-audit --no-fund
+
+      - name: Test
+        run: npm test
+
+      - name: Build (sanity)
+        env:
+          # Build needs VITE_* injected at compile time. Use placeholders
+          # for CI sanity build — real values are passed at deploy time.
+          VITE_SUPABASE_URL: https://example.invalid
+          VITE_SUPABASE_ANON_KEY: ci-placeholder
+        run: npm run build