CI/CD ECR Deployment Flow Record

Goal

Record the current production CI/CD state for the backend Docker deployment path and preserve the handoff point before EC2 manual service startup.

Document that pushes to main trigger the Gitea workflow to build the backend Docker image.
Document that the workflow validates the image and pushes ${GITHUB_SHA} and latest tags to AWS ECR.
Document that Cloudflare IPv4 CIDR ingress rules were added for tcp/80 and tcp/443 on security group sg-064bf6675c881fde3 in us-east-2.
Document that the open 0.0.0.0/0 ingress rules for tcp/80 and tcp/443 remain in place until the API is healthy.
Document that final EC2 service startup is intentionally manual: the operator will log in to the single EC2 host and run Docker Compose after confirming the image exists in ECR.

Automated SSH or SSM deployment to EC2.
ECS task definition or service deployment.
Removing the public 0.0.0.0/0 security group rules before API health is confirmed.

Trellis task records the completed CI/CD preparation work.
The task is archived after recording completion.
The temporary root-level DEPLOYMENT_REPORT.md is removed.
Current repository changes are committed on dev, pushed, and proposed for merge to main.
After merge or main push triggers CI, ECR is checked for the uploaded backend image.