feat(ci): smoke test staging deploy after up --wait

Healthchecks prove containers are healthy on the docker network; they
do not prove the public URL is reachable, HSTS still fires, or
/actuator is still blocked at the edge. Add a post-deploy smoke step
to nightly.yml that:

  1. GETs https://staging.raddatz.cloud/login (frontend reachable)
  2. asserts the response includes the Strict-Transport-Security header
  3. asserts /actuator/health returns 404 (defense-in-depth verified)

Failure aborts the workflow before the env-file cleanup step. The
cleanup step still runs because it is `if: always()`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/nightly.yml

@@ -75,6 +75,20 @@ jobs:
             --profile staging \
             up -d --wait --remove-orphans
 
+      - name: Smoke test deployed environment
+        # Healthchecks confirm containers are healthy; they do NOT confirm the
+        # public surface works. This step catches: Caddy not reloaded, DNS
+        # missing, HSTS header dropped, /actuator block bypassed.
+        run: |
+          set -e
+          URL="https://staging.raddatz.cloud"
+          echo "Smoke test: $URL"
+          curl -fsS --max-time 10 "$URL/login" -o /dev/null
+          curl -fsS --max-time 10 -I "$URL/" | grep -qi 'strict-transport-security'
+          status=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$URL/actuator/health")
+          [ "$status" = "404" ] || { echo "expected 404 from /actuator/health, got $status"; exit 1; }
+          echo "All smoke checks passed"
+
       - name: Cleanup env file
         if: always()
         run: rm -f .env.staging