CI/CD ECR Deployment Flow Completion

Completed

Production backend Docker image workflow exists at .gitea/workflows/build-production-docker.yml.
Workflow trigger is configured for push to main and manual workflow_dispatch.
Workflow builds backend/Dockerfile with Docker Buildx, validates image size, and runs a smoke test.
Workflow logs in to ECR, creates the repository if missing, and pushes both ${GITHUB_SHA} and latest tags.
Production Docker Compose file exists at deploy/docker-compose.prod.yml and pulls images from ECR instead of building locally.
Production deploy guide exists at deploy/README.md with EC2-side ECR login, Compose pull/up, health check, logs, and stop commands.
Cloudflare IPv4 ingress rules were added to AWS security group sg-064bf6675c881fde3 for tcp/80 and tcp/443.

EC2 will not auto-pull and restart yet. The operator will log in to the single EC2 host and start Docker Compose manually after ECR image confirmation.
Public 0.0.0.0/0 ingress for tcp/80 and tcp/443 remains until https://api.meeyao.com or the agreed health endpoint is confirmed healthy.
Gitea workflow does not yet include SSH or SSM deployment steps.

Confirm the PR is merged to main or otherwise pushed to main.
Confirm Gitea Actions runs the production Docker workflow successfully.
Confirm ECR contains the backend image tagged with the commit SHA and latest.
Operator manually logs in to EC2 and runs the documented Compose deployment commands.
Confirm local EC2 health check returns {"status":"ok"}.
Confirm external API health through Cloudflare.
Remove 0.0.0.0/0 ingress for tcp/80 and tcp/443 only after external health is confirmed.