Add deploy workflow that builds image and dispatches infra bump

.github/workflows/deploy.yml

@@ -0,0 +1,92 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Ref (branch / tag / SHA) to build and deploy. Defaults to main."
+        required: false
+        default: "main"
+
+permissions:
+  contents: read
+  packages: write
+
+concurrency:
+  group: deploy-production
+  cancel-in-progress: false
+
+jobs:
+  build-and-push:
+    name: build and push image
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    outputs:
+      image_digest: ${{ steps.push.outputs.digest }}
+      target_sha: ${{ steps.resolve.outputs.sha }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ inputs.ref || github.sha }}
+          fetch-depth: 1
+
+      - name: Resolve target SHA
+        id: resolve
+        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Log in to GHCR
+        uses: docker/login-action@5e57cd118135c172c3672efd2d6d95d0d3c2eaf3 # v4.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v7.2.0
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ steps.resolve.outputs.sha }}
+            ghcr.io/${{ github.repository }}:latest
+
+  trigger-infra-bump:
+    name: trigger infra digest bump
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Preflight — verify required secrets are set
+        env:
+          INFRA_DISPATCH_TOKEN: ${{ secrets.INFRA_DISPATCH_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -z "${INFRA_DISPATCH_TOKEN:-}" ]; then
+            echo "::error::Missing required secret: INFRA_DISPATCH_TOKEN"
+            echo "Needs a fine-grained PAT with contents:write on Stoganet/infra to fire repository_dispatch."
+            exit 1
+          fi
+          echo "All required secrets are set."
+
+      - name: Fire repository_dispatch at infra
+        env:
+          GH_TOKEN: ${{ secrets.INFRA_DISPATCH_TOKEN }}
+          OWNER: ${{ github.repository_owner }}
+          TARGET_SHA: ${{ needs.build-and-push.outputs.target_sha }}
+          IMAGE_DIGEST: ${{ needs.build-and-push.outputs.image_digest }}
+        run: |
+          set -euo pipefail
+          [ -n "${IMAGE_DIGEST}" ] || { echo "::error::IMAGE_DIGEST is empty — aborting dispatch"; exit 1; }
+          [ -n "${TARGET_SHA}" ]   || { echo "::error::TARGET_SHA is empty — aborting dispatch"; exit 1; }
+          gh api -X POST "repos/${OWNER}/infra/dispatches" \
+            -f "event_type=api-proxy-bump" \
+            -f "client_payload[sha]=${TARGET_SHA}" \
+            -f "client_payload[digest]=${IMAGE_DIGEST}"
+          echo "Dispatched api-proxy-bump to ${OWNER}/infra (sha=${TARGET_SHA})"