ci: build-triggers-deploy — set image after build-and-push

We build this image, so the Woodpecker pipeline should also drive the
rollout: atomic + deterministic, no wait for Keel's poll and no risk of
Keel resolving :latest to a stale concrete tag. build-and-push now tags
both latest and the 8-char SHA; a new deploy step runs `kubectl set
image` (bitnami/kubectl, in-cluster cluster-admin SA — no kubeconfig) for
the fire-planner container + the alembic-migrate init container (shared
image, must move in lockstep), then waits on rollout status. Keel stays
enrolled in parallel as a redundant net. Deploy already has the
KEEL_IGNORE_IMAGE ignore_changes so CI set image won't fight terragrunt.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.woodpecker.yml

@@ -23,6 +23,26 @@ steps:
             from_secret: forgejo_push_token
       dockerfile: Dockerfile
       context: .
-      auto_tag: true
       platforms:
         - linux/amd64
+      tags:
+        - "latest"
+        - "${CI_COMMIT_SHA:0:8}"
+
+  # We build the image, so we drive the rollout too — atomic + deterministic,
+  # no wait for Keel's hourly poll and no risk of Keel resolving :latest to a
+  # stale concrete tag. Keel stays enrolled in parallel as a redundant net
+  # (it finds the SHA already running → no-op). set image on a NEW :SHA always
+  # changes the pod template → guaranteed rollout, and bootstraps off any
+  # legacy pinned tag with no manual step. Sets the alembic-migrate init
+  # container too — it shares the image so its tag must move in lockstep.
+  - name: deploy
+    image: bitnami/kubectl:latest
+    depends_on:
+      - build-and-push
+    when:
+      branch: master
+      event: [push, manual]
+    commands:
+      - "kubectl set image deployment/fire-planner fire-planner=forgejo.viktorbarzin.me/viktor/fire-planner:${CI_COMMIT_SHA:0:8} alembic-migrate=forgejo.viktorbarzin.me/viktor/fire-planner:${CI_COMMIT_SHA:0:8} -n fire-planner"
+      - "kubectl rollout status deployment/fire-planner -n fire-planner --timeout=300s"