ci: gitea actions — lint, typecheck, broker tests, amd64 build verify

Four parallel jobs on push to main and on PRs:

- lint — pnpm lint (turbo across workspace)
- typecheck — pnpm typecheck (turbo across workspace)
- test-broker — pgvector/pg17 service container, drizzle-kit migrate,
  then vitest on apps/broker (64 tests per DEPLOY_SPEC.md)
- build-amd64 — docker buildx build of broker + migrate + web images
  for linux/amd64 (catches Linux-only Dockerfile bugs that Mac local
  buildx can't hit reliably, closes the documented multi-arch followup)

All jobs use frozen-lockfile install + pnpm-store cache via setup-node.
Regenerates pnpm-lock.yaml to resolve apps/cli zod catalog drift that
was silently blocking any frozen-lockfile install (shipped under same
commit since CI cannot pass without it).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -0,0 +1,117 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  NODE_VERSION: "22.17.0"
+  PNPM_VERSION: "10.25.0"
+  FORCE_COLOR: "1"
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm lint
+
+  typecheck:
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm typecheck
+
+  test-broker:
+    name: Broker tests (Postgres)
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: pgvector/pgvector:pg17
+        env:
+          POSTGRES_USER: turbostarter
+          POSTGRES_PASSWORD: turbostarter
+          POSTGRES_DB: claudemesh_test
+        ports:
+          - 5440:5432
+        options: >-
+          --health-cmd="pg_isready -U turbostarter"
+          --health-interval=5s
+          --health-timeout=3s
+          --health-retries=10
+    env:
+      DATABASE_URL: postgresql://turbostarter:turbostarter@127.0.0.1:5440/claudemesh_test
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: ${{ env.PNPM_VERSION }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+      - run: pnpm install --frozen-lockfile
+      - name: Run migrations
+        run: pnpm --filter "@turbostarter/db" db:migrate
+      - name: Broker test suite
+        run: pnpm --filter "@claudemesh/broker" test
+
+  build-amd64:
+    name: Docker build (linux/amd64)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - name: Build broker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/broker/Dockerfile
+          platforms: linux/amd64
+          push: false
+          tags: claudemesh-broker:ci
+          build-args: |
+            GIT_SHA=${{ github.sha }}
+      - name: Build migrate image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: packages/db/Dockerfile
+          platforms: linux/amd64
+          push: false
+          tags: claudemesh-migrate:ci
+      - name: Build web image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/web/Dockerfile
+          platforms: linux/amd64
+          push: false
+          tags: claudemesh-web:ci
+          build-args: |
+            NEXT_PUBLIC_URL=https://claudemesh.com

pnpm-lock.yaml

@@ -173,7 +173,7 @@ importers:
         specifier: 8.20.0
         version: 8.20.0
       zod:
-        specifier: 'catalog:'
+        specifier: 4.1.13
         version: 4.1.13
     devDependencies:
       '@turbostarter/eslint-config':