ci: proper CI + self-hosted runner deploy workflow

ci.yml — runs on GitHub's servers (free):
- API: dotnet build + test with Postgres/Redis service containers
- Dashboard + Finder: TypeScript typecheck (tsc --noEmit)

deploy.yml — runs on YOUR Linux server (self-hosted runner):
- Triggers on every push to main
- docker compose build --parallel (BuildKit cache)
- Rolling restart with --no-deps --remove-orphans
- Health-check poll: waits up to 2min for API healthy
- Auto-prunes old images after successful deploy

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.github/workflows/deploy.yml

@@ -1,20 +1,71 @@
-name: Deploy
+name: Deploy to Production
 
 on:
   push:
-    tags:
-      - "v*"
+    branches: [main]
+
+# Only one deploy runs at a time; newer push cancels in-progress one
+concurrency:
+  group: production-deploy
+  cancel-in-progress: true
 
 jobs:
-  build-images:
-    runs-on: ubuntu-latest
+  deploy:
+    name: Build & deploy on server
+    runs-on: self-hosted          # ← runs on YOUR Linux server
+    timeout-minutes: 30
+
     steps:
-      - uses: actions/checkout@v4
-      - name: Build API image
-        run: docker build -f docker/api/Dockerfile -t meezi-api:${{ github.ref_name }} .
-      - name: Build Web image
-        run: docker build -f docker/web/Dockerfile -t meezi-web:${{ github.ref_name }} .
-      - name: Deploy note
+      - name: Checkout latest code
+        uses: actions/checkout@v4
+
+      # Copy .env if it exists outside the repo (first deploy won't have it)
+      - name: Ensure .env exists
         run: |
-          echo "Push images to your registry and deploy on Arvan per DEPLOY.md"
-          echo "Required secrets: registry credentials, connection strings (not in repo)"
+          if [ ! -f .env ]; then
+            echo "⚠️  No .env found — copy .env.example and fill in secrets!"
+            cp .env.example .env
+          fi
+
+      # Build only the changed service images, skip rebuild if nothing changed
+      - name: Build Docker images
+        run: |
+          docker compose build --parallel \
+            --build-arg BUILDKIT_INLINE_CACHE=1 \
+            api web website finder
+        env:
+          DOCKER_BUILDKIT: 1
+          COMPOSE_DOCKER_CLI_BUILD: 1
+
+      # Rolling restart — database and redis are untouched if already healthy
+      - name: Start / restart services
+        run: |
+          docker compose up -d \
+            --remove-orphans \
+            --no-deps \
+            postgres redis api web website finder
+
+      # Wait for API healthcheck before declaring success
+      - name: Wait for API health
+        run: |
+          echo "Waiting for API to become healthy..."
+          for i in $(seq 1 24); do
+            STATUS=$(docker inspect --format='{{.State.Health.Status}}' meezi-api 2>/dev/null || echo "missing")
+            echo "  attempt $i/24 — $STATUS"
+            if [ "$STATUS" = "healthy" ]; then
+              echo "✅ API is healthy"
+              exit 0
+            fi
+            sleep 5
+          done
+          echo "❌ API did not become healthy in time"
+          docker compose logs --tail=50 api
+          exit 1
+
+      - name: Show running containers
+        if: always()
+        run: docker compose ps
+
+      - name: Prune old images
+        if: success()
+        run: docker image prune -f