feat: initial commit — kubectl/configure, infisical/fetch-secret, helm/upgrade actions

README.md

@@ -0,0 +1,47 @@
+# stat-tackler-infra
+
+Central deployment repository for the stat-tackler platform. All production releases are coordinated from here.
+
+## How to cut a production release
+
+1. Update `releases/versions.yaml` with the semver tag you want deployed for each service.
+2. Open a PR to `main` and merge it.
+3. Publish a release in Gitea. The deploy workflow fires automatically and rolls out every service in the versions file.
+
+To skip a service in a given release, comment it out in `versions.yaml`.
+
+## Repository layout
+
+```
+.gitea/
+  actions/kubectl/configure/   # Reusable kubectl setup action
+  workflows/
+    deploy-prod.yaml           # Coordinated production deployment
+releases/
+  versions.yaml                # Source of truth for what is deployed to production
+```
+
+## Services
+
+| Service | Repo |
+|---|---|
+| API | `stat-tackler-api` |
+| Auth UI | `stat-tackler-auth` |
+| Scorekeeper UI | `stat-tackler-scorekeeper` |
+| Admin UI | `stat-tackler-admin` |
+| Marketing site | `stat-tackler-marketing` |
+| Email relay | `stat-tackler-email-relay` |
+| MCP server | `stat-tackler-mcp` |
+
+Each service owns its own Helm chart (`./helm/`) and handles its own staging deploys. This repo only manages coordinated production releases.
+
+## Runner requirements
+
+The `helm` runner must have `helm`, `kubectl`, and `yq` available.
+
+## Required secrets
+
+| Secret | Purpose |
+|---|---|
+| `K8S_TROWBRIDGE_K0S0_CONFIG` | Kubeconfig for the production cluster |
+| `REGISTRY_AGENT_TOKEN` | Gitea token with read access to all service repos and the container registry |