feat: add dev and prod deployment scaffolding

DEPLOYMENT.md

@@ -0,0 +1,68 @@
+# Deployment
+
+## Branch strategy
+- `develop`: test/staging deployments
+- `main`: production deployments
+- keep one private GitHub repository
+
+## Local development
+- current `docker-compose.yml` remains the development stack
+- use `.env` or `.env.dev.example` as the template
+
+## Test deployment server
+- copy `.env.test.example` to `.env.test` on the server
+- recommended path: `/opt/workdock/.env.test`
+- current test target: `192.168.2.55`
+
+## Production deployment server
+- copy `.env.prod.example` to `.env.prod` on the server
+- use HTTPS and secure cookies in production
+
+## Server bootstrap
+Install:
+- `git`
+- `docker`
+- `docker compose plugin`
+- `curl`
+
+Recommended app directory:
+- `/opt/workdock`
+
+## First clone on server
+```bash
+git clone git@github.com:OWNER/REPO.git /opt/workdock
+cd /opt/workdock
+cp .env.test.example .env.test
+```
+
+## Test deploy manually
+```bash
+cd /opt/workdock
+./scripts/deploy_stack.sh .env.test docker-compose.prod.yml
+```
+
+## Production deploy manually
+```bash
+cd /opt/workdock
+./scripts/deploy_stack.sh .env.prod docker-compose.prod.yml
+```
+
+## GitHub Actions secrets
+### Development environment
+- `TEST_DEPLOY_HOST`
+- `TEST_DEPLOY_USER`
+- `TEST_DEPLOY_SSH_KEY`
+- `TEST_DEPLOY_PORT`
+- `TEST_DEPLOY_PATH`
+
+### Production environment
+- `PROD_DEPLOY_HOST`
+- `PROD_DEPLOY_USER`
+- `PROD_DEPLOY_SSH_KEY`
+- `PROD_DEPLOY_PORT`
+- `PROD_DEPLOY_PATH`
+
+## Important note for the test server
+`.env.test.example` is intentionally configured for an HTTP LAN test deployment.
+That means `RUN_DJANGO_CHECK=0` is used in the test deploy workflow, because the application security checks require secure cookies when `DEBUG=0`.
+For real production, use `.env.prod` behind HTTPS and keep `RUN_DJANGO_CHECK=1`.