ci: add Forgejo Actions pipeline + runner setup

- apps/forgejo/docker-compose.yml: enable FORGEJO__actions__ENABLED=true
- apps/forgejo-runner/docker-compose.yml: forgejo-runner:3.5.0 container
  mounts docker.sock so jobs can spin up containers on monk
- .forgejo/workflows/ci.yml: 3-job pipeline on every push to main
    compose-lint   → validates all apps/*/docker-compose.yml
    secrets-check  → scans for hardcoded passwords/tokens/keys
    shellcheck     → lints all scripts/*.sh
- docs/ci-cd-setup.md: runner registration steps + extension guide

PENDING (needs user action):
  1. docker compose up -d --force-recreate in apps/forgejo/ to apply env
  2. Get runner token from Forgejo admin panel
  3. Run forgejo-runner register with token, then docker compose up

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/forgejo-runner/docker-compose.yml

@@ -0,0 +1,26 @@
+services:
+  forgejo-runner:
+    image: code.forgejo.org/forgejo/runner:3.5.0
+    container_name: forgejo-runner
+    restart: unless-stopped
+    depends_on:
+      - forgejo
+    environment:
+      # Set after running: forgejo-runner register (see docs/ci-cd-setup.md)
+      FORGEJO_INSTANCE_URL: "http://forgejo:3000"
+    volumes:
+      - ./config:/etc/act_runner
+      - /var/run/docker.sock:/var/run/docker.sock
+      - runner_data:/data
+    networks:
+      - default
+      - kitestacks
+    command: daemon
+
+volumes:
+  runner_data:
+    name: forgejo_runner_data
+
+networks:
+  kitestacks:
+    external: true

apps/forgejo/docker-compose.yml

@@ -13,6 +13,7 @@ services:
       - FORGEJO__server__ROOT_URL=https://gitforge.kitestacks.com/
       - FORGEJO__server__SSH_DOMAIN=gitforge.kitestacks.com
       - FORGEJO__server__SSH_PORT=2222
+      - FORGEJO__actions__ENABLED=true
     volumes:
       - ./data:/data
     networks: