strip docker type — site-publish is static-content only

Removes type: docker handling from action.yaml, scripts (build/deploy/utils/setup),
and templates (deployment.yaml.j2, service-docker.yaml.j2). Renamed
service-static.yaml.j2 -> service.yaml.j2.

If site.yaml has type: docker, parse_site_yaml() now dies with a clear message
pointing to action/image-build + action/image-push + action/image-deploy with
hand-authored apps-repo manifests. rainsounds.vino.network was the only docker
consumer and has already migrated.

Drops registry-password input from action.yaml (no longer needed).

README.md

@@ -1,12 +1,20 @@
 # action/site-publish
 
-Composite Gitea Action that publishes a website to the fritzlab k8s cluster.
-Supports `static`, `hugo`, `mkdocs` (content → Garage S3 + ExternalName Service)
-and `docker` (Dockerfile → Deployment + headless Service). Handles manifest
-rendering, TLS via cert-manager, and Garage bucket aliases.
+Composite Gitea Action that publishes a **static-content** website to the
+fritzlab k8s cluster. Supports `static`, `hugo`, and `mkdocs`. Content goes
+to a Garage S3 bucket; Traefik fronts the bucket via an `ExternalName`
+Service with cert-manager TLS.
 
-Renamed from `fritzlab/publish-site` → `action/site-publish` as part of the
-2026 action-org consolidation.
+> **Containerized web apps (Dockerfile-based) are NOT handled here.** Use the
+> standard image-producer chain instead:
+> [`action/image-build`](https://code.fritzlab.net/action/image-build) +
+> [`action/image-push`](https://code.fritzlab.net/action/image-push) +
+> [`action/image-deploy`](https://code.fritzlab.net/action/image-deploy).
+> Hand-author the apps-repo manifests once (Deployment, Service, Ingress,
+> Certificate, kustomization with `images:` block) and let `image-deploy`
+> pin the tag on every push. See `sjc001/websites/rainsounds.vino.network/`
+> for the canonical example. site-publish errors out explicitly if
+> `site.yaml` has `type: docker`.
 
 ## Convention
 
@@ -28,7 +36,7 @@ Or do it manually. `site.yaml`:
 
 ```yaml
 domain: my-site.vino.network
-type: static          # static | hugo | mkdocs | docker
+type: static          # static | hugo | mkdocs
 # content_dir: html   # subdirectory containing content (default: repo root)
 # aliases:            # additional hostnames (each gets a globalAlias on the bucket)
 #   - www.my-site.vino.network
@@ -68,12 +76,11 @@ my-site.fritzlab.net  300  IN  CNAME  traefik.edge.svc.k8s.sjc001.fritzlab.net.
 | Input | Required | Default | Description |
 |---|---|---|---|
 | `token` | yes | | Gitea token for apps repo push |
-| `s3-access-key` | static/hugo/mkdocs | | Garage `ci-deploy-key` access key id |
-| `s3-secret-key` | static/hugo/mkdocs | | Garage `ci-deploy-key` secret key |
+| `s3-access-key` | yes | | Garage `ci-deploy-key` access key id |
+| `s3-secret-key` | yes | | Garage `ci-deploy-key` secret key |
 | `s3-endpoint` | no | `http://garage.storage.svc:3900` | Garage S3 endpoint |
-| `garage-admin-token` | static/hugo/mkdocs (only if site has `aliases`) | | Garage admin API token (`admin-token` from `garage-rpc-secret` in `storage` ns) |
+| `garage-admin-token` | only if site has `aliases` | | Garage admin API token (`admin-token` from `garage-rpc-secret` in `storage` ns) |
 | `garage-admin-endpoint` | no | `http://garage.storage.svc:3903` | Garage admin API endpoint |
-| `registry-password` | docker | inputs.token | Container registry password |
 | `username` | no | `ci-bot` | Gitea username |
 
 Org secrets in `websites`: `CI_BOT_TOKEN`, `GARAGE_S3_ACCESS_KEY`,
@@ -105,3 +112,10 @@ There is no "first-deploy vs. update" branching — every deploy is idempotent.
 No nginx pods, no per-site Docker images. Garage matches `Host:` header to
 bucket name (or any of its globalAliases), so every site shares a single
 ExternalName target.
+
+## History
+
+- 2026-05-06: removed `type: docker` support. The single docker site
+  (`rainsounds.vino.network`) migrated to the `image-*` chain. site-publish
+  is now scoped strictly to static-content sites.
+- 2026-05-06: renamed from `fritzlab/publish-site` → `action/site-publish`.