refactor(ci): Consolidate workflows and fix Git sync

- Added explicit Git pull in staging deployment after container restart
- Added production auto-deploy job to build-image.yml (for main branch)
- Removed redundant workflows: deploy-staging.yml, deploy-production.yml, production-deploy.yml
- All deployments now handled by build-image.yml:
  - staging branch → auto-deploy to staging
  - main branch → auto-deploy to production
- Fixed build job dependency (removed test dependency)
- Git sync now explicitly pulls code after deployment to ensure containers are up-to-date

.gitea/workflows/build-image.yml

@@ -883,13 +883,16 @@ jobs:
             echo "⏳ Waiting for services to start..."
             sleep 15
             
-            # Force containers to pull latest code by restarting staging-app
-            echo "🔄 Restarting staging-app to pull latest code from Git..."
+            # Force containers to pull latest code from Git repository
+            echo "🔄 Pulling latest code from Git repository in staging-app container..."
+            docker compose exec -T staging-app bash -c "cd /var/www/html && git -c safe.directory=/var/www/html fetch origin staging && git -c safe.directory=/var/www/html reset --hard origin/staging && git -c safe.directory=/var/www/html clean -fd" || echo "⚠️  Git pull failed, container will sync on next restart"
+            
+            # Also trigger a restart to ensure entrypoint script runs
+            echo "🔄 Restarting staging-app to ensure all services are up-to-date..."
             docker compose restart staging-app || echo "⚠️  Failed to restart staging-app"
             
-            echo "⏳ Waiting for Git sync to complete..."
+            echo "⏳ Waiting for services to stabilize..."
             sleep 10
-            
             echo "📊 Container status:"
             docker compose ps
             
@@ -919,3 +922,155 @@ jobs:
           echo "🚀 Staging deployment successful!"
           echo "URL: https://staging.michaelschiemer.de"
           echo "Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+
+  # Job 4: Auto-deploy to Production (only for main branch)
+  deploy-production:
+    name: Auto-deploy to Production
+    needs: [changes, build, runtime-base]
+    if: (github.ref_name == 'main' || github.head_ref == 'main' || (github.ref_name == '' && contains(github.ref, 'main'))) && needs.changes.outputs.needs_build == 'true'
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: https://michaelschiemer.de
+    env:
+      DEPLOYMENT_HOST: 94.16.110.151
+    steps:
+      - name: Determine branch name
+        id: branch
+        shell: bash
+        run: |
+          REF_NAME="${{ github.ref_name }}"
+          if [ -z "$REF_NAME" ]; then
+            REF_NAME=$(echo "${{ github.ref }}" | sed 's/refs\/heads\///')
+          fi
+          if [ -z "$REF_NAME" ]; then
+            REF_NAME="main"
+          fi
+          echo "BRANCH=$REF_NAME" >> $GITHUB_OUTPUT
+          echo "📋 Branch: $REF_NAME"
+
+      - name: Checkout deployment scripts
+        run: |
+          REF_NAME="${{ steps.branch.outputs.BRANCH }}"
+          REPO="${{ github.repository }}"
+          
+          if [ -n "${{ secrets.CI_TOKEN }}" ]; then
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          else
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo || \
+            git clone --depth 1 \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          fi
+          
+          cd /workspace/repo
+
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/production
+          chmod 600 ~/.ssh/production
+          ssh-keyscan -H ${{ env.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts
+
+      - name: Deploy to Production Server
+        run: |
+          set -e
+          
+          DEPLOYMENT_HOST="${{ env.DEPLOYMENT_HOST }}"
+          REGISTRY="${{ env.REGISTRY }}"
+          IMAGE_NAME="${{ env.IMAGE_NAME }}"
+          
+          # Get image tag from build job output with fallback
+          IMAGE_TAG="${{ needs.build.outputs.image_tag }}"
+          
+          # If IMAGE_TAG is empty, use latest
+          if [ -z "$IMAGE_TAG" ] || [ "$IMAGE_TAG" = "..." ] || [ "$IMAGE_TAG" = "null" ]; then
+            COMMIT_SHA="${{ github.sha }}"
+            if [ -z "$COMMIT_SHA" ]; then
+              COMMIT_SHA=$(cd /workspace/repo && git rev-parse HEAD 2>/dev/null || echo "")
+            fi
+            if [ -z "$COMMIT_SHA" ]; then
+              IMAGE_TAG="latest"
+            else
+              SHORT_SHA=$(echo "$COMMIT_SHA" | cut -c1-7)
+              IMAGE_TAG="git-${SHORT_SHA}"
+            fi
+          fi
+          
+          FULL_IMAGE="${REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"
+          STACK_PATH="~/deployment/stacks/application"
+          
+          echo "🚀 Starting production deployment..."
+          echo "   Image: ${FULL_IMAGE}"
+          echo "   Tag: ${IMAGE_TAG}"
+          echo "   Host: ${DEPLOYMENT_HOST}"
+          echo "   Stack: ${STACK_PATH}"
+          
+          ssh -i ~/.ssh/production \
+              -o StrictHostKeyChecking=no \
+              -o UserKnownHostsFile=/dev/null \
+              deploy@${DEPLOYMENT_HOST} <<EOF
+            set -e
+            
+            cd ${STACK_PATH}
+            
+            echo "🔐 Logging in to Docker registry..."
+            echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${REGISTRY} \
+              -u "${{ secrets.REGISTRY_USER }}" \
+              --password-stdin || echo "⚠️  Registry login failed, continuing..."
+            
+            echo "📥 Pulling image ${FULL_IMAGE}..."
+            docker pull ${FULL_IMAGE} || {
+              echo "❌ Failed to pull image ${FULL_IMAGE}"
+              exit 1
+            }
+            
+            echo "📝 Updating docker-compose.yml..."
+            sed -i "s|image:.*/${IMAGE_NAME}:.*|image: ${FULL_IMAGE}|g" docker-compose.yml
+            sed -i "s|image:.*/${IMAGE_NAME}@.*|image: ${FULL_IMAGE}|g" docker-compose.yml
+            
+            echo "✅ Updated docker-compose.yml:"
+            grep "image:" docker-compose.yml | head -5
+            
+            echo "🔄 Restarting services..."
+            docker compose up -d --pull always --force-recreate || {
+              echo "❌ Failed to restart services"
+              exit 1
+            }
+            
+            echo "⏳ Waiting for services to start..."
+            sleep 10
+            
+            echo "📊 Container status:"
+            docker compose ps
+            
+            echo "✅ Production deployment completed!"
+          EOF
+
+      - name: Wait for deployment to stabilize
+        run: sleep 30
+
+      - name: Health check
+        id: health
+        run: |
+          for i in {1..10}; do
+            if curl -f -k https://michaelschiemer.de/health; then
+              echo "✅ Health check passed"
+              exit 0
+            fi
+            echo "⏳ Waiting for production service... (attempt $i/10)"
+            sleep 10
+          done
+          echo "❌ Health check failed"
+          exit 1
+
+      - name: Notify deployment success
+        if: success()
+        run: |
+          echo "🚀 Production deployment successful!"
+          echo "URL: https://michaelschiemer.de"
+          echo "Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build.outputs.image_tag || 'latest' }}"