ci(deploy): add gitea LXC deploy + validate workflows

Mirrors the buildfor_life_budget workflow pair: Gitea runs both
deploy and validate, GitHub mirrors validate only. Differences from
the sibling: pnpm + fnm instead of npm, Node pinned via .node-version,
and the repo is cloned over public HTTPS so no separate deploy key
is needed for git.b4l.co.th. Document required Gitea secrets in
DEPLOYMENT.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

DEPLOYMENT.md

@@ -236,6 +236,22 @@ Environment=HOST_HEADER=x-forwarded-host
 
 ## 12. Upgrades
 
+### Automated (CI-driven)
+
+`.gitea/workflows/deploy.yml` runs on every push to `main`. It SSHes into the LXC host, pulls, installs, builds, migrates, and restarts the service. Required Gitea secrets:
+
+| Secret | Purpose |
+| --- | --- |
+| `DEPLOY_HOST` | SSH host of the LXC container |
+| `DEPLOY_USER` | SSH user (must own `$DEPLOY_PATH` and have a sudoers entry for `systemctl restart buildfor_life_ops`) |
+| `DEPLOY_KEY` | Private SSH key matching an authorized key on the deploy user |
+| `DEPLOY_PORT` | *(optional, default `22`)* |
+| `DEPLOY_PATH` | *(optional, default `/opt/buildfor_life_ops/app`)* |
+
+The repo itself is cloned from `https://git.b4l.co.th/B4L/buildfor_life_ops.git` (public HTTPS) — no repo deploy key needed, unlike the budget sibling.
+
+### Manual
+
 ```bash
 cd /opt/buildfor_life_ops/app
 git fetch --tags
@@ -245,15 +261,15 @@ git checkout <tag-or-sha>
 fnm use --install-if-missing
 
 pnpm install --frozen-lockfile
-pnpm run db:migrate
 pnpm run build
+pnpm run db:migrate
 pnpm install --prod --frozen-lockfile
 
 systemctl restart buildfor_life_ops
 journalctl -u buildfor_life_ops -n 100 --no-pager
 ```
 
-A migration that cannot be rolled back forward-only (rare — see `drizzle/README.md`) needs a maintenance window and a DB snapshot first.
+A migration that cannot be rolled forward-only (rare — see `drizzle/README.md`) needs a maintenance window and a DB snapshot first.
 
 ## 13. Rollback