ci: branch-driven deploys (staging/production branches), build the pushed commit

main = day-to-day work (no deploy). Merge into staging -> :staging, into
production -> :production; IMAGE_TAG = branch name. Also fixes the checkout to
build the PUSHED commit (git checkout $GITHUB_SHA) instead of always cloning
the default branch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/build.yml

@@ -1,9 +1,14 @@
-name: Build and Push Docker Images Staging
+name: Build and Push Docker Images
 
+# Branch-driven deploys — no yaml edits to switch environment:
+#   merge into `staging`    -> tag :staging    (staging Watchtower deploys)
+#   merge into `production` -> tag :production (production Watchtower deploys)
+# `main` is the day-to-day work branch and deploys nothing.
 on:
   push:
     branches:
       - staging
+      - production
 
 env:
   GIT_HOST: git.easysoft.ro
@@ -16,18 +21,19 @@ env:
   CV_CLEANUP_JOB_IMAGE: apps/myai-cv-cleanup-job
   CV_SEARCH_JOB_IMAGE: apps/myai-cv-search-job
   PAGE_FETCHER_API_IMAGE: apps/myai-page-fetcher-api
-  IMAGE_TAG: staging
+  IMAGE_TAG: ${{ github.ref_name }}        # branch name == image tag (staging | production)
 
 jobs:
   build:
     runs-on: host
 
     steps:
-      - name: Checkout repository
+      - name: Checkout the pushed commit
         env:
           TOKEN: ${{ secrets.REPO_TOKEN }}
         run: |
           git clone "http://gelu:${TOKEN}@${GIT_HOST}:3000/${GITHUB_REPOSITORY}.git" .
+          git checkout "${{ github.sha }}"
 
       - name: Login to registry
         run: |