feat(infra): in-cluster Gitea Actions runner (act_runner + dind)

Self-registering act_runner on node1 with a privileged docker:dind sidecar so
workflow jobs can build + push app images (k3s has containerd only, no Docker
daemon). Labels ubuntu-latest + docker; state persisted on a Longhorn PVC. The
registration token is applied out-of-band as the gitea-runner-token Secret
(not in git). Verified: runner declared successfully, dind API up.

infrastructure/production/fleet/ci/gitea-runner.yaml

@@ -0,0 +1,96 @@
+# Gitea Actions runner for the dezky monorepo, in-cluster on node1.
+#
+# Builds + pushes app images (platform-api / portal / booking) to the Gitea
+# container registry on push. A privileged docker:dind sidecar provides the
+# Docker daemon the runner's jobs use for `docker build`/`buildx` — k3s itself
+# only has containerd, no Docker daemon.
+#
+# The registration token is NOT in git — create the 'gitea-runner-token' Secret
+# out-of-band:
+#   kubectl -n gitea-runner create secret generic gitea-runner-token \
+#     --from-literal=token=<gitea registration token>
+# act_runner auto-registers on first start (persisted on the runner-data PVC).
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea-runner
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: runner-data
+  namespace: gitea-runner
+spec:
+  accessModes: [ReadWriteOnce]
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: act-runner
+  namespace: gitea-runner
+  labels:
+    app: act-runner
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: act-runner
+  template:
+    metadata:
+      labels:
+        app: act-runner
+    spec:
+      containers:
+        - name: runner
+          image: gitea/act_runner:0.2.11
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: https://git.lastcloud.io
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-runner-token
+                  key: token
+            - name: GITEA_RUNNER_NAME
+              value: dezky-k3s
+            # Map ubuntu-latest (used by .gitea/workflows/ci.yml) to a Docker
+            # image with the usual build tooling; jobs run via the dind sidecar.
+            - name: GITEA_RUNNER_LABELS
+              value: "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04,docker:docker://docker:27-cli"
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+          volumeMounts:
+            - name: runner-data
+              mountPath: /data
+            - name: docker-certs
+              mountPath: /certs
+        - name: dind
+          image: docker:27-dind
+          securityContext:
+            privileged: true
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: /certs
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs
+            - name: dind-storage
+              mountPath: /var/lib/docker
+      volumes:
+        - name: runner-data
+          persistentVolumeClaim:
+            claimName: runner-data
+        - name: docker-certs
+          emptyDir: {}
+        - name: dind-storage
+          emptyDir: {}