ci(openclaw): add build-push-deploy pipeline for Nix Docker image

Builds openclaw-image with Nix, loads into Docker, tags and pushes to
registry.johnogle.info/openclaw, then updates k3s-cluster-config manifest.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

.gitea/workflows/ci.yml

@@ -104,3 +104,82 @@ jobs:
           fi
         env:
           NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+  build-and-push-openclaw:
+    name: Build & Push OpenClaw Image
+    runs-on: ubuntu-latest
+    needs: check
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    outputs:
+      image_tag: ${{ steps.meta.outputs.tag }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: https://git.johnogle.info/johno/gitea-actions/nix-setup@v1
+
+      - name: Setup SSH for cache
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CACHE_SSH_KEY }}" > ~/.ssh/cache_key
+          chmod 600 ~/.ssh/cache_key
+          ssh-keyscan -H ${{ secrets.CACHE_HOST }} >> ~/.ssh/known_hosts 2>/dev/null || true
+
+      - name: Generate image tag
+        id: meta
+        run: |
+          # Read the version from the nix definition
+          IMAGE_TAG=$(nix eval .#openclaw-image.outPath --raw 2>/dev/null | xargs basename | sed 's/.*-//')
+          # Fallback to short SHA if tag extraction fails
+          if [ -z "$IMAGE_TAG" ]; then
+            IMAGE_TAG=$(echo "${{ github.sha }}" | cut -c1-7)
+          fi
+          echo "tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
+          echo "Image will be tagged: ${IMAGE_TAG}"
+
+      - name: Build Docker image with Nix
+        run: nix build .#openclaw-image --cores 2
+        env:
+          NIX_CONFIG: "access-tokens = git.johnogle.info=${{ secrets.GITEA_ACCESS_TOKEN }}"
+
+      - name: Load and tag image
+        run: |
+          docker load < result
+          docker tag openclaw:${{ steps.meta.outputs.tag }} registry.johnogle.info/openclaw:${{ steps.meta.outputs.tag }}
+          docker tag openclaw:${{ steps.meta.outputs.tag }} registry.johnogle.info/openclaw:latest
+
+      - name: Login to registry
+        run: |
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.johnogle.info -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin
+
+      - name: Push image
+        run: |
+          docker push registry.johnogle.info/openclaw:${{ steps.meta.outputs.tag }}
+          docker push registry.johnogle.info/openclaw:latest
+
+  deploy-openclaw:
+    name: Deploy OpenClaw to Cluster
+    runs-on: ubuntu-latest
+    needs: build-and-push-openclaw
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    steps:
+      - name: Checkout k3s-cluster-config
+        uses: actions/checkout@v4
+        with:
+          repository: johno/k3s-cluster-config
+          token: ${{ secrets.CONFIG_REPO_TOKEN }}
+          path: k3s-cluster-config
+
+      - name: Update HelmRelease image tag
+        run: |
+          cd k3s-cluster-config
+          sed -i 's|tag: ".*"|tag: "${{ needs.build-and-push-openclaw.outputs.image_tag }}"|' \
+            clusters/oglenet/apps/communication/openclaw.yaml
+
+      - name: Commit and push
+        run: |
+          cd k3s-cluster-config
+          git config user.name "Gitea CI"
+          git config user.email "ci@johnogle.info"
+          git add clusters/oglenet/apps/communication/openclaw.yaml
+          git diff --cached --quiet || git commit -m "Deploy openclaw:${{ needs.build-and-push-openclaw.outputs.image_tag }}"
+          git push