ci(deploy): push kustomization updates to deploy branch, not master

The CI bot was committing image-tag bumps back to master after every
Docker build, which forced a `git pull --rebase` before every developer
push. Moving the kustomization commit to a dedicated `deploy` branch
keeps master clean — the build bot no longer diverges it.

Argo CD / Flux should now watch the `deploy` branch (targetRevision:
deploy) instead of master.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/docker-build.yml

@@ -60,19 +60,17 @@ jobs:
           curl -sL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz | tar xz
           sudo mv kustomize /usr/local/bin/kustomize
 
-      - name: Pin image tag in deploy manifests
-        run: |
-          cd deploy
-          kustomize edit set image solitaire-server=${{ env.IMAGE }}:${{ steps.meta.outputs.sha }}
-
-      - name: Commit and push updated kustomization
+      - name: Pin image tag and push to deploy branch
         run: |
           git config user.email "ci@gitea.local"
           git config user.name "Gitea CI"
+          # Switch to the deploy branch, creating it from the current HEAD if absent.
+          git fetch origin deploy 2>/dev/null && git checkout deploy || git checkout -b deploy
+          # Update the pinned image tag.
+          cd deploy
+          kustomize edit set image solitaire-server=${{ env.IMAGE }}:${{ steps.meta.outputs.sha }}
+          cd ..
           git add deploy/kustomization.yaml
-          git diff --cached --quiet && exit 0  # nothing to commit — skip push
+          git diff --cached --quiet && exit 0
           git commit -m "chore(deploy): bump image to ${{ steps.meta.outputs.sha }} [skip ci]"
-          for i in 1 2 3; do
-            git pull --rebase origin master && git push && break
-            sleep 5
-          done
+          git push origin deploy