fix(ci): resolve 3 Gitea Actions pipeline failures

- Remove upload-artifact step (unsupported on Gitea GHES)
- Replace architecture+audit jobs with unified validate job running validate_all.py
- Update docs: DEPLOY_HOST must be 172.17.0.1 (Docker bridge), not 127.0.0.1
- Add ufw rule for Docker bridge network SSH access

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -76,7 +76,7 @@ jobs:
       - name: Run tests
         run: python -m pytest tests/ -v --tb=short
 
-  architecture:
+  validate:
     runs-on: ubuntu-latest
     env:
       DATABASE_URL: "postgresql://dummy:dummy@localhost:5432/dummy"
@@ -94,8 +94,8 @@ jobs:
       - name: Install dependencies
         run: uv pip install --system -r requirements.txt
 
-      - name: Validate architecture
-        run: python scripts/validate/validate_architecture.py
+      - name: Run all validators
+        run: python scripts/validate/validate_all.py
 
   # ---------------------------------------------------------------------------
   # Security (non-blocking)
@@ -116,32 +116,13 @@ jobs:
       - name: Run pip-audit
         run: pip-audit --requirement requirements.txt || true
 
-  audit:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install uv
-        run: pip install uv
-
-      - name: Install dependencies
-        run: uv pip install --system -r requirements.txt -r requirements-dev.txt
-
-      - name: Run audit
-        run: python scripts/validate/validate_audit.py
-
   # ---------------------------------------------------------------------------
   # Build (docs - only on push to master)
   # ---------------------------------------------------------------------------
   docs:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-    needs: [ruff, pytest, architecture]
+    needs: [ruff, pytest, validate]
     steps:
       - uses: actions/checkout@v4
 
@@ -158,19 +139,13 @@ jobs:
       - name: Build docs
         run: mkdocs build
 
-      - name: Upload docs artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: docs-site
-          path: site/
-
   # ---------------------------------------------------------------------------
-  # Deploy (master-only, after lint + tests + architecture pass)
+  # Deploy (master-only, after lint + tests + validate pass)
   # ---------------------------------------------------------------------------
   deploy:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-    needs: [ruff, pytest, architecture]
+    needs: [ruff, pytest, validate]
     steps:
       - name: Deploy to production
         uses: appleboy/ssh-action@v1

docs/deployment/gitea.md

@@ -192,7 +192,7 @@ The workflow file lives in `.gitea/workflows/ci.yml` (already created in this re
 | `services:` (top-level on job) | `services:` nested under each job with `options:` |
 | `allow_failure: true` | `continue-on-error: true` |
 | `rules: - if:` | `on:` triggers + `if:` conditionals per job |
-| `artifacts: paths:` | `actions/upload-artifact@v4` |
+| `artifacts: paths:` | `actions/upload-artifact@v4` (not supported on Gitea GHES) |
 | `cache: paths:` | `actions/cache@v4` |
 | `coverage: '/regex/'` | Use coverage action or parse in step |
 | CI/CD Variables (UI) | Repository **Settings > Secrets** |
@@ -206,10 +206,13 @@ Configure these in your Gitea repository under **Settings > Actions > Secrets**:
 | Secret | Description | Used by |
 |--------|-------------|---------|
 | `DEPLOY_SSH_KEY` | Ed25519 private key for deployment | Deploy job |
-| `DEPLOY_HOST` | Production server IP (e.g. `127.0.0.1`) | Deploy job |
+| `DEPLOY_HOST` | Docker bridge gateway IP: `172.17.0.1` (see note below) | Deploy job |
 | `DEPLOY_USER` | SSH user on production server (e.g. `samir`) | Deploy job |
 | `DEPLOY_PATH` | App directory on server (e.g. `/home/samir/apps/orion`) | Deploy job |
 
+!!! important "DEPLOY_HOST must be `172.17.0.1`, not `127.0.0.1`"
+    The Gitea Actions runner executes CI jobs inside Docker containers. From inside the container, `127.0.0.1` refers to the container itself, not the host machine. Use `172.17.0.1` (the Docker bridge gateway) so the SSH action can reach the host's SSH daemon. When Gitea and Orion are split onto separate servers, update this to the Orion server's real IP.
+
 ---
 
 ## 8. Pipeline Overview
@@ -220,14 +223,13 @@ The CI pipeline (`.gitea/workflows/ci.yml`) runs:
 push/PR to master
 ├── ruff          (lint)
 ├── pytest        (tests + PostgreSQL service)
-├── architecture  (architecture validation)
+├── validate      (all 4 validators: architecture, security, performance, audit)
 ├── dependency-scanning  (pip-audit, non-blocking)
-├── audit         (custom audit, non-blocking)
-├── docs          (mkdocs build, master-only, after lint+test pass)
-└── deploy        (SSH deploy, master-only, after lint+test+arch pass)
+├── docs          (mkdocs build, master-only, after lint+test+validate pass)
+└── deploy        (SSH deploy, master-only, after lint+test+validate pass)
 ```
 
-All jobs run in parallel except `docs` and `deploy`, which wait for `ruff`, `pytest`, and `architecture` to pass. The `deploy` job only runs on push (not PRs).
+All jobs run in parallel except `docs` and `deploy`, which wait for `ruff`, `pytest`, and `validate` to pass. The `deploy` job only runs on push (not PRs).
 
 ---
 
@@ -239,7 +241,7 @@ The CI pipeline includes an automated deploy job that runs on every successful p
   deploy:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-    needs: [ruff, pytest, architecture]
+    needs: [ruff, pytest, validate]
     steps:
       - name: Deploy to production
         uses: appleboy/ssh-action@v1
@@ -270,6 +272,8 @@ See [Hetzner Server Setup — Step 16](hetzner-server-setup.md#step-16-continuou
 ```bash
 sudo ufw allow OpenSSH
 sudo ufw allow 'Nginx Full'
+# Allow CI containers (Docker bridge) to SSH to the host for deployment
+sudo ufw allow from 172.17.0.0/16 to any port 22
 sudo ufw enable
 ```
 

docs/deployment/hetzner-server-setup.md

@@ -688,14 +688,14 @@ Verify the runner shows as **Online** in Gitea: **Site Administration > Actions
 
 ## Step 16: Continuous Deployment
 
-Automate deployment on every successful push to master. The Gitea Actions runner and the app both run on the same server, so the deploy job SSHes from the CI Docker container to `127.0.0.1`.
+Automate deployment on every successful push to master. The Gitea Actions runner and the app both run on the same server, so the deploy job SSHes from the CI Docker container to `172.17.0.1` (Docker bridge gateway — see note in 16.2).
 
 ```
 push to master
   ├── ruff ──────┐
   ├── pytest ────┤
-  └── architecture ─┤
-                    └── deploy (SSH → scripts/deploy.sh)
+  └── validate ──┤
+                 └── deploy (SSH → scripts/deploy.sh)
                           ├── git stash / pull / pop
                           ├── docker compose up -d --build
                           ├── alembic upgrade heads
@@ -716,10 +716,13 @@ In **Repository Settings > Actions > Secrets**, add:
 | Secret | Value |
 |---|---|
 | `DEPLOY_SSH_KEY` | Contents of `~/.ssh/deploy_ed25519` (private key) |
-| `DEPLOY_HOST` | `127.0.0.1` |
+| `DEPLOY_HOST` | `172.17.0.1` (Docker bridge gateway — **not** `127.0.0.1`) |
 | `DEPLOY_USER` | `samir` |
 | `DEPLOY_PATH` | `/home/samir/apps/orion` |
 
+!!! important "Why `172.17.0.1` and not `127.0.0.1`?"
+    CI jobs run inside Docker containers where `127.0.0.1` is the container, not the host. `172.17.0.1` is the Docker bridge gateway that routes to the host. Ensure the firewall allows SSH from the Docker bridge network: `sudo ufw allow from 172.17.0.0/16 to any port 22`. When Gitea and Orion are on separate servers, replace with the Orion server's IP.
+
 ### 16.3 Deploy Script
 
 The deploy script lives at `scripts/deploy.sh` in the repository. It:
@@ -735,13 +738,13 @@ Exit codes: `0` success, `1` git pull failed, `2` docker compose failed, `3` mig
 
 ### 16.4 CI Workflow
 
-The deploy job in `.gitea/workflows/ci.yml` runs only on master push, after `ruff`, `pytest`, and `architecture` pass:
+The deploy job in `.gitea/workflows/ci.yml` runs only on master push, after `ruff`, `pytest`, and `validate` pass:
 
 ```yaml
 deploy:
   runs-on: ubuntu-latest
   if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-  needs: [ruff, pytest, architecture]
+  needs: [ruff, pytest, validate]
   steps:
     - name: Deploy to production
       uses: appleboy/ssh-action@v1