feat(ci): replace Drone CI with GitHub Actions workflow for build, promote, and deploy

- Remove existing Drone CI pipeline configuration (.drone.yml)
- Add GitHub Actions workflow (.gitea/workflows/build.yml) to:
  * Build and publish container images on master branch pushes
  * Promote and deploy images via workflow dispatch with optional commit SHA
  * Handle Podman login/logout and image operations
  * Restart and monitor Kubernetes deployment rollout
  * Notify failures via Pushover integration

.gitea/workflows/build.yml

@@ -0,0 +1,176 @@
+---
+name: publish
+
+on:
+  push:
+    branches: [ master ]
+  workflow_dispatch:
+    inputs:
+      sha:
+        description: Commit SHA to promote (defaults to dispatch SHA)
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY_SERVER: docker.io
+  RELEASE_IMAGE_NAME: docker.io/genunix/homeassistant
+  KUBERNETES_NAMESPACE: hass
+
+jobs:
+  build-and-publish:
+    if: github.event_name == 'push'
+    runs-on: docker
+    container:
+      image: quay.io/podman/stable:v5.4
+      options: >-
+        --privileged
+        --security-opt seccomp=unconfined
+        --device /dev/fuse
+        --user root
+    env:
+      CONTAINERS_STORAGE_DRIVER: vfs
+      BUILDAH_FORMAT: docker
+      XDG_RUNTIME_DIR: /tmp/run
+    steps:
+      - name: Checkout
+        env:
+          SERVER_URL: ${{ github.server_url }}
+          REPOSITORY: ${{ github.repository }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          # Install git and ca-certs if missing (works across base distros)
+          if ! command -v git >/dev/null 2>&1; then
+            (command -v microdnf >/dev/null 2>&1 && microdnf -y install git ca-certificates tar gzip) \
+            || (command -v dnf >/dev/null 2>&1 && dnf -y install git ca-certificates tar gzip) \
+            || (command -v apk >/dev/null 2>&1 && apk add --no-cache git ca-certificates tar gzip) \
+            || (command -v apt-get >/dev/null 2>&1 && apt-get update && apt-get install -y git ca-certificates tar gzip)
+          fi
+          # Prepare auth if provided
+          HOST=$(echo "$SERVER_URL" | sed -E 's#https?://([^/]+)/?.*#\1#')
+          # Use token as password with a placeholder username
+          if [ -n "${GITHUB_TOKEN:-}" ]; then
+            printf "machine %s login %s password %s\n" "$HOST" "token" "$GITHUB_TOKEN" > $HOME/.netrc
+            chmod 600 $HOME/.netrc
+          fi
+          # Initialize and fetch exact commit
+          git init
+          git remote add origin "${SERVER_URL}/${REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout -q FETCH_HEAD
+      - name: Podman login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.dockerhub_username }}
+          REGISTRY_PASSWORD: ${{ secrets.dockerhub_password }}
+        working-directory: ${{ github.workspace }}
+        run: |
+          mkdir -p /var/lib/containers "$XDG_RUNTIME_DIR"
+          echo -n "$REGISTRY_PASSWORD" | podman login --username "$REGISTRY_USERNAME" --password-stdin "$REGISTRY_SERVER"
+      - name: Build image
+        id: build
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          HASS_VERSION=$(grep -E '^FROM ' Dockerfile | head -n1 | cut -d ':' -f 2)
+          echo "HASS_VERSION=$HASS_VERSION" >> "$GITHUB_OUTPUT"
+          echo "== Building ${RELEASE_IMAGE_NAME}:${GITHUB_SHA}"
+          podman build --pull-always --format docker -t "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" .
+      - name: Push images (SHA and HASS_VERSION)
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          echo "== Publishing ${RELEASE_IMAGE_NAME}:${GITHUB_SHA}"
+          podman push "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" "docker://${RELEASE_IMAGE_NAME}:${GITHUB_SHA}"
+          echo "== Publishing ${RELEASE_IMAGE_NAME}:${{ steps.build.outputs.HASS_VERSION }}"
+          podman push "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" "docker://${RELEASE_IMAGE_NAME}:${{ steps.build.outputs.HASS_VERSION }}"
+      - name: Logout
+        if: always()
+        run: |
+          podman logout "${REGISTRY_SERVER}"
+      - name: Notify via Pushover on failure
+        if: failure()
+        run: |
+          curl -s \
+            -F "token=${{ secrets.PUSHOVER_TOKEN }}" \
+            -F "user=${{ secrets.PUSHOVER_USER }}" \
+            --form-string "title=HomeAssistant Build Failed" \
+            --form-string "url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            -F "message=Workflow failed on ${{ github.repository }}" \
+            https://api.pushover.net/1/messages.json
+
+  promote-and-deploy:
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: docker
+    container:
+      image: quay.io/podman/stable:v5.4
+      options: >-
+        --privileged
+        --security-opt seccomp=unconfined
+        --device /dev/fuse
+        --user root
+    env:
+      CONTAINERS_STORAGE_DRIVER: vfs
+      BUILDAH_FORMAT: docker
+      XDG_RUNTIME_DIR: /tmp/run
+      SHA_INPUT: ${{ inputs.sha }}
+    steps:
+      - name: Podman login
+        env:
+          REGISTRY_USERNAME: ${{ secrets.dockerhub_username }}
+          REGISTRY_PASSWORD: ${{ secrets.dockerhub_password }}
+        run: |
+          mkdir -p /var/lib/containers "$XDG_RUNTIME_DIR"
+          echo -n "$REGISTRY_PASSWORD" | podman login --username "$REGISTRY_USERNAME" --password-stdin "$REGISTRY_SERVER"
+      - name: Promote latest from SHA
+        run: |
+          set -euo pipefail
+          SHA_TO_PROMOTE=${SHA_INPUT:-${GITHUB_SHA}}
+          echo "== Promoting ${RELEASE_IMAGE_NAME}:${SHA_TO_PROMOTE} into production"
+          podman pull "docker://${RELEASE_IMAGE_NAME}:${SHA_TO_PROMOTE}"
+          podman push "${RELEASE_IMAGE_NAME}:${SHA_TO_PROMOTE}" "docker://${RELEASE_IMAGE_NAME}:latest"
+      - name: Logout
+        if: always()
+        run: |
+          podman logout "${REGISTRY_SERVER}"
+      - name: Notify via Pushover on failure
+        if: failure()
+        run: |
+          curl -s \
+            -F "token=${{ secrets.PUSHOVER_TOKEN }}" \
+            -F "user=${{ secrets.PUSHOVER_USER }}" \
+            --form-string "title=HomeAssistant Promote Failed" \
+            --form-string "url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            -F "message=Workflow failed on ${{ github.repository }}" \
+            https://api.pushover.net/1/messages.json
+
+  deploy:
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: docker
+    needs: promote-and-deploy
+    container:
+      image: bitnami/kubectl:1.32
+    steps:
+      - name: Write kubeconfig
+        env:
+          KUBECONFIG_CONTENT: ${{ secrets.kubeconfig }}
+        run: |
+          echo "$KUBECONFIG_CONTENT" > kubeconfig
+      - name: Rollout restart
+        run: |
+          kubectl --kubeconfig=kubeconfig -n ${KUBERNETES_NAMESPACE} rollout restart deployment/hass
+          kubectl --kubeconfig=kubeconfig -n ${KUBERNETES_NAMESPACE} rollout status deployment/hass
+      - name: Notify via Pushover on failure
+        if: failure()
+        run: |
+          curl -s \
+            -F "token=${{ secrets.PUSHOVER_TOKEN }}" \
+            -F "user=${{ secrets.PUSHOVER_USER }}" \
+            --form-string "title=HomeAssistant Deploy Failed" \
+            --form-string "url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            -F "message=Workflow failed on ${{ github.repository }}" \
+            https://api.pushover.net/1/messages.json
+