Fix Gitea CI stuck at setup-dotnet/setup-node due to blocked CDNs

Root cause: actions/setup-dotnet@v4 downloads .NET from
download.visualstudio.microsoft.com and actions/setup-node@v4 downloads
Node from nodejs.org — both CDNs are blocked from Iran so jobs hang at 0s.

Fix:
- All .NET jobs: add container: mcr.microsoft.com/dotnet/sdk:10.0
  so .NET is already inside the image — no download needed.
  Remove actions/setup-dotnet step entirely.
- All Node.js jobs: add container: node:20-alpine
  so Node/npm are already inside the image — no download needed.
  Remove actions/setup-node step entirely.
- api-build: add postgres + redis service containers + env vars so
  dotnet test can actually connect to a database (was silently failing).
- deploy job: change back to runs-on: self-hosted
  ubuntu-latest containers don't have Docker CLI — docker compose
  commands would fail immediately. Deploy MUST run on the server.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/ci-cd.yml

@@ -13,6 +13,7 @@ concurrency:
 
 # ─────────────────────────────────────────────────────────────────────────────
 # CI — runs on every push AND every PR
+# Uses pre-built container images so nothing is downloaded from blocked CDNs.
 # ─────────────────────────────────────────────────────────────────────────────
 jobs:
 
@@ -20,14 +21,31 @@ jobs:
   api-build:
     name: "CI · API (dotnet build + test)"
     runs-on: ubuntu-latest
+    # Use official .NET SDK image — no setup-dotnet download needed
+    container:
+      image: mcr.microsoft.com/dotnet/sdk:10.0
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_DB: meezi_test
+          POSTGRES_USER: meezi
+          POSTGRES_PASSWORD: meezi_test_pass
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
+      redis:
+        image: redis:7-alpine
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 5s
+          --health-timeout 3s
+          --health-retries 10
     steps:
       - uses: actions/checkout@v4
 
-      - name: Setup .NET 10
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: "10.0.x"
-
       - name: Restore
         run: dotnet restore src/Meezi.API/Meezi.API.csproj
 
@@ -36,19 +54,19 @@ jobs:
 
       - name: Test
         run: dotnet test --no-build -c Release --logger "console;verbosity=minimal"
+        env:
+          ConnectionStrings__DefaultConnection: "Host=postgres;Port=5432;Database=meezi_test;Username=meezi;Password=meezi_test_pass"
+          ConnectionStrings__Redis: "redis:6379"
 
   # ── Admin API ───────────────────────────────────────────────────────────────
   admin-api-build:
     name: "CI · Admin API (dotnet build)"
     runs-on: ubuntu-latest
+    container:
+      image: mcr.microsoft.com/dotnet/sdk:10.0
     steps:
       - uses: actions/checkout@v4
 
-      - name: Setup .NET 10
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: "10.0.x"
-
       - name: Restore
         run: dotnet restore src/Meezi.Admin.API/Meezi.Admin.API.csproj
 
@@ -59,14 +77,13 @@ jobs:
   dashboard-check:
     name: "CI · Dashboard (tsc)"
     runs-on: ubuntu-latest
+    container:
+      image: node:20-alpine
     defaults:
       run:
         working-directory: web/dashboard
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
       - run: npm install --legacy-peer-deps --ignore-scripts
       - run: npx tsc --noEmit
         env:
@@ -76,14 +93,13 @@ jobs:
   admin-web-check:
     name: "CI · Admin Web (tsc)"
     runs-on: ubuntu-latest
+    container:
+      image: node:20-alpine
     defaults:
       run:
         working-directory: web/admin
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
       - run: npm install --legacy-peer-deps --ignore-scripts
       - run: npx tsc --noEmit
         env:
@@ -93,14 +109,13 @@ jobs:
   website-check:
     name: "CI · Website (tsc)"
     runs-on: ubuntu-latest
+    container:
+      image: node:20-alpine
     defaults:
       run:
         working-directory: web/website
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
       - run: npm install --legacy-peer-deps --ignore-scripts
       - run: npx tsc --noEmit
         env:
@@ -110,25 +125,26 @@ jobs:
   finder-check:
     name: "CI · Finder (tsc)"
     runs-on: ubuntu-latest
+    container:
+      image: node:20-alpine
     defaults:
       run:
         working-directory: web/finder
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
       - run: npm install --legacy-peer-deps --ignore-scripts
       - run: npx tsc --noEmit
         env:
           NEXT_PUBLIC_API_URL: http://localhost:5080
 
 # ─────────────────────────────────────────────────────────────────────────────
-# DEPLOY — only on push to main, only if ALL CI jobs pass
+# DEPLOY — only on push to main, only if ALL CI jobs pass.
+# MUST run on self-hosted: needs Docker CLI on the actual production server.
+# ubuntu-latest containers do not have Docker inside them.
 # ─────────────────────────────────────────────────────────────────────────────
   deploy:
     name: "Deploy · all services"
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
     needs:
       - api-build
       - admin-api-build