ci: revert artifact approach, use BuildKit cache for Maven deps

Gitea Actions doesn't support upload/download-artifact v4.
Reverted to two-job approach (git clone + docker build).
Added BuildKit cache mount (--mount=type=cache,target=/root/.m2)
to Dockerfile so Maven deps persist across Docker builds on the
same runner. First build downloads, subsequent builds are cached.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -32,13 +32,6 @@ jobs:
           mvn clean verify -B
           -Dsurefire.excludes="**/AuthControllerTest.java,**/TenantControllerTest.java,**/LicenseControllerTest.java,**/AuditRepositoryTest.java,**/CameleerSaasApplicationTest.java,**/EnvironmentControllerTest.java,**/AppControllerTest.java,**/DeploymentControllerTest.java"
 
-      - name: Upload JAR artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: app-jar
-          path: target/cameleer-saas-*.jar
-          retention-days: 1
-
   docker:
     needs: build
     runs-on: ubuntu-latest
@@ -49,10 +42,11 @@ jobs:
         username: cameleer
         password: ${{ secrets.REGISTRY_TOKEN }}
     steps:
-      - name: Download JAR artifact
+      - name: Checkout
-        uses: actions/download-artifact@v4
+        run: |
-        with:
+          git clone --depth=1 --branch=${GITHUB_REF_NAME} https://cameleer:${REGISTRY_TOKEN}@gitea.siegeln.net/${GITHUB_REPOSITORY}.git .
-          name: app-jar
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Login to registry
         run: echo "$REGISTRY_TOKEN" | docker login gitea.siegeln.net -u cameleer --password-stdin
@@ -78,24 +72,11 @@ jobs:
 
       - name: Build and push
         run: |
-          # Build runtime-only image from pre-built JAR (no Maven needed)
-          mkdir -p build-context
-          cp cameleer-saas-*.jar build-context/app.jar
-          cat > build-context/Dockerfile << 'DOCKERFILE'
-          FROM eclipse-temurin:21-jre-alpine
-          WORKDIR /app
-          RUN addgroup -S cameleer && adduser -S cameleer -G cameleer
-          COPY app.jar app.jar
-          USER cameleer
-          EXPOSE 8080
-          ENTRYPOINT ["java", "-jar", "app.jar"]
-          DOCKERFILE
-
           TAGS="-t gitea.siegeln.net/cameleer/cameleer-saas:${{ github.sha }}"
           for TAG in $IMAGE_TAGS; do
             TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-saas:$TAG"
           done
-          docker build $TAGS --provenance=false build-context/
+          docker build $TAGS --provenance=false .
           for TAG in $IMAGE_TAGS ${{ github.sha }}; do
             docker push gitea.siegeln.net/cameleer/cameleer-saas:$TAG
           done

Dockerfile

@@ -1,11 +1,11 @@
-# Dockerfile
+# syntax=docker/dockerfile:1
 FROM eclipse-temurin:21-jdk-alpine AS build
 WORKDIR /build
 COPY .mvn/ .mvn/
 COPY mvnw pom.xml ./
-RUN ./mvnw dependency:go-offline -B
+RUN --mount=type=cache,target=/root/.m2/repository ./mvnw dependency:go-offline -B
 COPY src/ src/
-RUN ./mvnw package -DskipTests -B
+RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -B
 
 FROM eclipse-temurin:21-jre-alpine
 WORKDIR /app