bump-stacks: invoked by stack-repo CI after a successful image push.
Clones libretech/gitops-sandbox, mutates stacks.yml to pin the new
short sha for the named stack, commits + pushes back. Idempotent —
exits 0 with a no-op notice when the sha is already pinned. Retries
up to 3× on non-fast-forward to absorb concurrent bumps.
deploy-stack: invoked by stack-repo deploy.yml (workflow_dispatch).
SSHes to netcup with a stack-scoped key, writes a .env.deploy file
pinning <STACK>_IMAGE, runs 'compose pull && compose up -d'. Writes
/srv/<stack>/.deployed for drift checks.
Michael Czechowski
f1ac88259b
