fix: Build CI images on production server

- Add build-ci-image-production.sh script for building CI images on production
- Add BUILD_ON_PRODUCTION.md documentation
- Fix Dockerfile to handle optional PECL extensions for PHP 8.5 RC

This fixes the issue where Gitea workflows fail with:
'Error response from daemon: pull access denied for php-ci'

deployment/gitea-runner/build-ci-image-production.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+# Build CI Docker Image on Production Server
+# This script builds the php-ci image and loads it into docker-dind
+# Usage: ./build-ci-image-production.sh
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+# PHP CI Image
+PHP_CI_IMAGE="${CI_IMAGE_NAME:-php-ci:latest}"
+REGISTRY="${CI_REGISTRY:-registry.michaelschiemer.de}"
+PHP_CI_REGISTRY_IMAGE="${REGISTRY}/ci/php-ci:latest"
+
+# Docker Build Image
+DOCKER_BUILD_IMAGE="${DOCKER_BUILD_IMAGE_NAME:-docker-build:latest}"
+DOCKER_BUILD_REGISTRY_IMAGE="${REGISTRY}/ci/docker-build:latest"
+
+echo "🔨 Building CI Docker Images on Production Server..."
+echo ""
+echo "1. PHP CI Image: ${PHP_CI_IMAGE}"
+echo "   Dockerfile: ${PROJECT_ROOT}/docker/ci/Dockerfile"
+echo ""
+echo "2. Docker Build Image: ${DOCKER_BUILD_IMAGE}"
+echo "   Dockerfile: ${PROJECT_ROOT}/docker/ci/Dockerfile.build"
+echo ""
+
+cd "$PROJECT_ROOT"
+
+# Check if docker-dind is running
+if ! docker ps | grep -q "gitea-runner-dind"; then
+    echo "⚠️  Warning: gitea-runner-dind container not found"
+    echo "   Make sure the Gitea runner stack is running:"
+    echo "   cd ${SCRIPT_DIR} && docker compose up -d"
+    echo ""
+    read -p "Continue anyway? (y/N) " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        exit 1
+    fi
+fi
+
+# Build PHP CI image
+echo ""
+echo "📦 Building PHP CI image..."
+docker build \
+  -f docker/ci/Dockerfile \
+  -t "${PHP_CI_IMAGE}" \
+  -t "${PHP_CI_REGISTRY_IMAGE}" \
+  --platform linux/amd64 \
+  .
+
+# Build Docker Build image
+echo ""
+echo "📦 Building Docker Build image..."
+docker build \
+  -f docker/ci/Dockerfile.build \
+  -t "${DOCKER_BUILD_IMAGE}" \
+  -t "${DOCKER_BUILD_REGISTRY_IMAGE}" \
+  --platform linux/amd64 \
+  .
+
+echo ""
+echo "✅ Images built successfully!"
+echo ""
+
+# Load images into docker-dind
+if docker ps | grep -q "gitea-runner-dind"; then
+    echo "📥 Loading images into docker-dind..."
+    
+    echo "   Loading php-ci:latest..."
+    docker save "${PHP_CI_IMAGE}" | docker exec -i gitea-runner-dind docker load
+    
+    echo "   Loading docker-build:latest..."
+    docker save "${DOCKER_BUILD_IMAGE}" | docker exec -i gitea-runner-dind docker load
+    
+    echo ""
+    echo "✅ Images loaded into docker-dind"
+else
+    echo "⚠️  docker-dind container not running - skipping image load"
+    echo "   To load images later, run:"
+    echo "   docker save ${PHP_CI_IMAGE} | docker exec -i gitea-runner-dind docker load"
+    echo "   docker save ${DOCKER_BUILD_IMAGE} | docker exec -i gitea-runner-dind docker load"
+fi
+
+echo ""
+echo "📋 Summary:"
+echo ""
+echo "✅ Built images:"
+echo "   - ${PHP_CI_IMAGE}"
+echo "   - ${DOCKER_BUILD_IMAGE}"
+echo ""
+
+# Check if .env exists and show label configuration
+if [ -f "${SCRIPT_DIR}/.env" ]; then
+    echo "📝 Current GITEA_RUNNER_LABELS in .env:"
+    grep "^GITEA_RUNNER_LABELS=" "${SCRIPT_DIR}/.env" || echo "   (not found)"
+    echo ""
+    echo "💡 Make sure your .env contains:"
+    echo "   GITEA_RUNNER_LABELS=...,php-ci:docker://${PHP_CI_IMAGE}"
+    echo ""
+    echo "   Or for registry images:"
+    echo "   GITEA_RUNNER_LABELS=...,php-ci:docker://${PHP_CI_REGISTRY_IMAGE}"
+else
+    echo "⚠️  .env file not found at ${SCRIPT_DIR}/.env"
+    echo "   Create it from .env.example and add php-ci label"
+fi
+
+echo ""
+echo "✅ Setup complete! The php-ci image is now available for Gitea workflows."
+echo ""
+echo "📝 Next steps (if needed):"
+echo "   1. Verify runner labels in Gitea UI"
+echo "   2. Test a workflow with runs-on: php-ci"
+echo ""
+