ci: add Forgejo Actions pipeline + runner setup

- apps/forgejo/docker-compose.yml: enable FORGEJO__actions__ENABLED=true
- apps/forgejo-runner/docker-compose.yml: forgejo-runner:3.5.0 container
  mounts docker.sock so jobs can spin up containers on monk
- .forgejo/workflows/ci.yml: 3-job pipeline on every push to main
    compose-lint   → validates all apps/*/docker-compose.yml
    secrets-check  → scans for hardcoded passwords/tokens/keys
    shellcheck     → lints all scripts/*.sh
- docs/ci-cd-setup.md: runner registration steps + extension guide

PENDING (needs user action):
  1. docker compose up -d --force-recreate in apps/forgejo/ to apply env
  2. Get runner token from Forgejo admin panel
  3. Run forgejo-runner register with token, then docker compose up

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/workflows/ci.yml

@@ -0,0 +1,77 @@
+name: KiteStacks CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  # ── Lint Docker Compose files ──────────────────────────────────────────────
+  compose-lint:
+    name: Validate compose files
+    runs-on: docker
+    container:
+      image: docker:27-cli
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install docker compose plugin
+        run: apk add --no-cache docker-cli-compose
+
+      - name: Validate all compose files
+        run: |
+          find apps -name "docker-compose.yml" | while read f; do
+            echo "Checking $f ..."
+            docker compose -f "$f" config --quiet && echo "  OK"
+          done
+
+  # ── Secret leak detection ──────────────────────────────────────────────────
+  secrets-check:
+    name: Check for accidental secrets
+    runs-on: docker
+    container:
+      image: alpine:3.20
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Scan for plaintext secrets patterns
+        run: |
+          # Fail if any committed file contains common secret patterns
+          # Add false-positive exclusions via .secretsignore if needed
+          FAIL=0
+          check() {
+            local pattern="$1"
+            local label="$2"
+            if git grep -qiP "${pattern}" -- ':!*.md' ':!docs/' ':!.forgejo/' 2>/dev/null; then
+              echo "FAIL: possible ${label} found"
+              git grep -ilP "${pattern}" -- ':!*.md' ':!docs/' ':!.forgejo/'
+              FAIL=1
+            fi
+          }
+
+          check 'password\s*=\s*["\x27][^"\x27]{8,}' "plaintext password"
+          check 'secret_?key\s*=\s*["\x27][A-Za-z0-9+/]{32,}' "hardcoded secret key"
+          check 'TUNNEL_TOKEN\s*=\s*ey' "Cloudflare tunnel token"
+          check '-----BEGIN.*PRIVATE KEY-----' "private key"
+
+          exit ${FAIL}
+
+  # ── Shell script checks ────────────────────────────────────────────────────
+  shellcheck:
+    name: Shellcheck scripts
+    runs-on: docker
+    container:
+      image: koalaman/shellcheck-alpine:stable
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run shellcheck
+        run: |
+          find scripts -name "*.sh" -exec shellcheck {} +