ci(delivery): add deploy and release workflow scaffolds

docs/product-engineering/delivery-pipeline.md

@@ -0,0 +1,77 @@
+# Delivery Pipeline
+
+## Scope
+
+Operational pipeline baseline for image build/push, staging deploy, production promotion, and rollback.
+
+## Registry Credentials Strategy
+
+Use scoped Gitea secrets:
+
+- `CMS_IMAGE_REGISTRY`
+- `CMS_IMAGE_NAMESPACE`
+- `CMS_IMAGE_REGISTRY_USER`
+- `CMS_IMAGE_REGISTRY_PASSWORD`
+
+Policy:
+
+- credentials only in CI secrets
+- no plaintext credentials in repo
+- least privilege: push/pull for target namespace only
+
+## Build and Push Flow
+
+- Workflow: `.gitea/workflows/release.yml`
+- Trigger:
+  - tag push `vX.Y.Z`
+  - manual `workflow_dispatch`
+- Steps:
+  1. validate tag vs root `package.json` version
+  2. generate changelog
+  3. docker login
+  4. build and push `cms-web` and `cms-admin` images
+
+## Staging Deployment Automation
+
+- Workflow: `.gitea/workflows/deploy.yml`
+- Manual input:
+  - `environment=staging`
+  - `image_tag=vX.Y.Z`
+- Remote deployment uses SSH + compose file:
+  - `docker-compose.staging.yml`
+
+Required secrets:
+
+- `CMS_STAGING_HOST`
+- `CMS_STAGING_USER`
+- `CMS_DEPLOY_KEY`
+- `CMS_REMOTE_DEPLOY_PATH`
+
+## Production Promotion and Rollback
+
+Promotion:
+
+- run deploy workflow with:
+  - `environment=production`
+  - `image_tag=vX.Y.Z`
+
+Rollback:
+
+- release workflow supports rollback placeholder by image tag
+- deploy workflow supports `rollback_tag` input
+- recovery action:
+  - rerun deploy with previous known-good tag
+
+## Deployment Verification
+
+After deploy:
+
+1. app health checks (web/admin)
+2. auth smoke flow
+3. i18n smoke flow
+4. critical route checks (`/`, `/login`, `/todo`)
+
+## Notes
+
+- Current workflows are production-oriented scaffolds and require secret provisioning in Gitea.
+- Host hardening, network ACLs, and backup policy remain mandatory operational controls.