fix(ci): create .env in workspace before sync (DIND path issue)

Phase 1 — .env provisioning fix:
The previous approach tried to write .env directly to
/opt/openclaw/data/openclaw/workspace/nexus from inside the
runner's job container, but that host path is not mounted there.

Fix: write .env from Gitea secrets into the workspace first,
then sync it along with the source code via the existing
Docker-in-Docker pattern (which can access the host path).

Combined the separate '.env creation' and 'sync code' steps
into a single atomic 'Sync code + .env to host' step.

.gitea/workflows/deploy.yaml

@@ -87,36 +87,30 @@ jobs:
           git push "https://devops:${{ secrets.GIT_TOKEN }}@git.noveria.net/bao/nexus.git" HEAD:main --force --tags
           echo "✅ Version bumped to v${NEW_VERSION}"
 
-      # ── Step 3: Provision .env on host ────────
-      # The sync step excludes .env for security, so we re-create it
-      # from Gitea secrets at the host deploy path BEFORE syncing code.
-      - name: Create .env on host
+      # ── Step 3: Sync code + .env to host ──────
+      # Creates .env from Gitea secrets in the workspace, then syncs
+      # everything (except .git) to the host deploy path via DIND.
+      - name: Sync code + .env to host
         run: |
-          cat > /opt/openclaw/data/openclaw/workspace/nexus/.env << 'ENVEOF'
+          # Create .env from Gitea secrets in the workspace
+          cat > "${{ gitea.workspace }}/.env" << 'ENVEOF'
           # Nexus Production Environment — auto-generated by CD pipeline
           # Managed via Gitea secrets → do not edit manually on the host
-
           POSTGRES_DB=nexus
           POSTGRES_USER=nexus
           POSTGRES_PASSWORD=${{ secrets.ENV_POSTGRES_PASSWORD }}
-
           JWT_KEY=${{ secrets.ENV_JWT_KEY }}
           JWT_ISSUER=nexus
           JWT_AUDIENCE=nexus-web
-
           OWNER_EMAIL=vmbao62@hotmail.de
           OWNER_PASSWORD=${{ secrets.ENV_OWNER_PASSWORD }}
           OWNER_DISPLAY_NAME=
-
           OPENCLAW_BASE_URL=http://host.docker.internal:18789
           OPENCLAW_GATEWAY_TOKEN=${{ secrets.ENV_OPENCLAW_TOKEN }}
           OPENCLAW_GATEWAY_PASSWORD=
           ENVEOF
-          echo "✅ .env created at host deploy path"
 
-      # ── Step 4: Sync code to host ─────────────
-      - name: Sync code to host deploy path
-        run: |
+          # Sync everything (except .git) from workspace to host
           docker run --rm \
             -v "${{ gitea.workspace }}:/src:ro" \
             -v /opt/openclaw/data/openclaw/workspace/nexus:/dest \
@@ -125,15 +119,15 @@ jobs:
               cd /src && \
               find . -mindepth 1 -maxdepth 1 \
                 ! -name .git \
-                ! -name .env \
                 -exec cp -a {} /dest/ \;
             "
+          echo "✅ Code + .env synced to host deploy path"
 
-      # ── Step 5: Docker Buildx ─────────────────
+      # ── Step 4: Docker Buildx ─────────────────
       - name: Set up Docker Buildx
         run: docker buildx create --use 2>/dev/null || true
 
-      # ── Step 6: Build & Deploy ────────────────
+      # ── Step 5: Build & Deploy ────────────────
       - name: Build & Deploy
         run: |
           BUILD_ARGS=""
@@ -159,7 +153,7 @@ jobs:
               fi
             "
 
-      # ── Step 7: Health Check ──────────────────
+      # ── Step 6: Health Check ──────────────────
       - name: Health Check
         run: |
           sleep 5
@@ -174,7 +168,7 @@ jobs:
             sleep 5
           done
 
-      # ── Step 8: Smoke test ────────────────────
+      # ── Step 7: Smoke test ────────────────────
       - name: Verify (smoke test)
         run: |
           echo "🔍 Smoke test..."