Move runner to oci, simplify deploy script

- Runner now runs on oci (arm64) — docker/kubectl are local, no SSH needed
- deploy-preview.py rewritten with subprocess (no os.system, no SSH)
  - deploy: build image, copy prod DB, create namespace, apply manifests
  - teardown: delete namespace + image
  - deploy-prod: build, push, rollout restart
- Simplified all workflow files to just call the Python script
- Deleted old hera-runner

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -12,12 +12,5 @@ jobs:
       - name: Unit tests
         run: cd frontend && npm ci && npm run test:unit
 
-      - name: Build & Deploy
-        run: |
-          rsync -az --exclude node_modules --exclude .git --exclude .venv . oci:~/oil-calculator/
-          ssh oci "
-            cd ~/oil-calculator &&
-            docker build -t registry.oci.euphon.net/oil-calculator:latest . &&
-            docker push registry.oci.euphon.net/oil-calculator:latest &&
-            sudo k3s kubectl rollout restart deploy/oil-calculator -n oil-calculator
-          "
+      - name: Deploy
+        run: python3 scripts/deploy-preview.py deploy-prod

.gitea/workflows/preview.yml

@@ -3,9 +3,6 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
 
-env:
-  BASE_DOMAIN: oil.oci.euphon.net
-
 jobs:
   deploy-preview:
     if: github.event.action != 'closed'
@@ -20,13 +17,15 @@ jobs:
         run: python3 scripts/deploy-preview.py deploy ${{ github.event.pull_request.number }}
 
       - name: Comment PR
+        env:
+          GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
         run: |
           PR_ID="${{ github.event.pull_request.number }}"
-          curl -s -X POST \
+          curl -sf -X POST \
             "https://git.euphon.cloud/api/v1/repos/${{ github.repository }}/issues/${PR_ID}/comments" \
-            -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
+            -H "Authorization: token ${GIT_TOKEN}" \
             -H "Content-Type: application/json" \
-            -d "{\"body\": \"🚀 **Preview deployed**: https://pr-${PR_ID}.${BASE_DOMAIN}\n\nDB is a copy of production. Changes won't affect prod.\"}"
+            -d "{\"body\": \"🚀 **Preview**: https://pr-${PR_ID}.oil.oci.euphon.net\n\nDB is a copy of production.\"}" || true
 
   teardown-preview:
     if: github.event.action == 'closed'
@@ -34,14 +33,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Teardown Preview
+      - name: Teardown
         run: python3 scripts/deploy-preview.py teardown ${{ github.event.pull_request.number }}
 
       - name: Comment PR
+        env:
+          GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
         run: |
           PR_ID="${{ github.event.pull_request.number }}"
-          curl -s -X POST \
+          curl -sf -X POST \
             "https://git.euphon.cloud/api/v1/repos/${{ github.repository }}/issues/${PR_ID}/comments" \
-            -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
+            -H "Authorization: token ${GIT_TOKEN}" \
             -H "Content-Type: application/json" \
-            -d "{\"body\": \"🗑️ Preview environment torn down.\"}"
+            -d "{\"body\": \"🗑️ Preview torn down.\"}" || true