ci: staged deployment — push to main→staging, git tag→prod

- Push to main builds ARM64 image and deploys to docfast-staging namespace
- Push a version tag (v*) promotes latest image to docfast namespace (prod)
- Both use same deployer SA with namespace-scoped RBAC

.forgejo/workflows/deploy.yml

@@ -1,12 +1,12 @@
-name: Build & Deploy to K3s
+name: Build & Deploy to Staging
 
 on:
   push:
     branches: [ main ]
 
 jobs:
-  build-and-deploy:
+  build-and-stage:
-    name: Build & Deploy
+    name: Build & Deploy to Staging
     runs-on: ubuntu-latest
 
     steps:
@@ -36,7 +36,7 @@ jobs:
           git.cloonar.com/openclawd/docfast:${{ github.sha }}
         platforms: linux/arm64
 
-    - name: Deploy to K3s
+    - name: Deploy to Staging
       run: |
         curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
         chmod +x kubectl
@@ -45,9 +45,9 @@ jobs:
 
         ./kubectl set image deployment/docfast \
           docfast=git.cloonar.com/openclawd/docfast:${{ github.sha }} \
-          -n docfast --kubeconfig=/tmp/kubeconfig.yaml
+          -n docfast-staging --kubeconfig=/tmp/kubeconfig.yaml
 
         ./kubectl rollout status deployment/docfast \
-          -n docfast --kubeconfig=/tmp/kubeconfig.yaml --timeout=180s
+          -n docfast-staging --kubeconfig=/tmp/kubeconfig.yaml --timeout=180s
 
-        echo "✅ Deploy complete!"
+        echo "✅ Staging deploy complete!"

.forgejo/workflows/promote.yml

@@ -0,0 +1,53 @@
+name: Promote to Production
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  promote:
+    name: Deploy to Production
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Install kubectl
+      run: |
+        curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+        chmod +x kubectl
+
+    - name: Get image from tag
+      id: image
+      run: |
+        # Tag format: v0.2.1 or v0.2.1-rc1
+        # The staging pipeline already pushed the image with the commit SHA
+        # We retag with the version tag for traceability
+        echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+
+    - name: Login to Forgejo Registry
+      uses: docker/login-action@v3
+      with:
+        registry: git.cloonar.com
+        username: openclawd
+        password: ${{ secrets.REGISTRY_TOKEN }}
+
+    - name: Retag image for production
+      run: |
+        # Pull latest staging image and tag with version
+        docker pull --platform linux/arm64 git.cloonar.com/openclawd/docfast:latest
+        docker tag git.cloonar.com/openclawd/docfast:latest \
+          git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
+        docker push git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
+
+    - name: Deploy to Production
+      run: |
+        echo "${{ secrets.KUBECONFIG }}" | base64 -d > /tmp/kubeconfig.yaml
+
+        ./kubectl set image deployment/docfast \
+          docfast=git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }} \
+          -n docfast --kubeconfig=/tmp/kubeconfig.yaml
+
+        ./kubectl rollout status deployment/docfast \
+          -n docfast --kubeconfig=/tmp/kubeconfig.yaml --timeout=180s
+
+        echo "✅ Production deploy complete! Version: ${{ steps.image.outputs.tag }}"