feat(deploy): Switch Render to pull pre-built Docker images from private GHCR

[arunderwood]

Summary

Currently Render clones the repo and builds Docker images on every deploy (~3-5 min). GitHub Actions already builds and pushes images to GHCR. We should have Render pull pre-built images instead, saving build time and reducing redundancy.

Goals

1. Faster deploys: ~3-5 min → ~30-60s (just pull + start)
2. No duplicate builds: GitHub builds once, Render just pulls
3. Privacy: Make GHCR images private to hide baked-in Grafana/OTEL endpoints

Implementation Steps

Step 1: Make GHCR Package Private (GitHub UI)

1. Go to https://github.com/arunderwood/nextskip/pkgs/container/nextskip
2. Package settings → Danger Zone → Change visibility to Private

Step 2: Create GitHub PAT for Render

1. Create fine-grained token at https://github.com/settings/tokens
2. Permissions: Packages → Read
3. Save token for Render configuration

Step 3: Configure Render Service (Render Dashboard)

1. Service Settings → Change from "Git repository" to "Existing Image"
2. Image URL: ghcr.io/arunderwood/nextskip:main
3. Add GHCR credential (username + PAT)

Step 4: Add Webhook Trigger (Code Change)

Render doesn't auto-deploy on image push. Add to .github/workflows/ci.yml:

      - name: Trigger Render Deploy
        if: github.ref == 'refs/heads/main'
        run: |
          curl -X POST "${{ secrets.RENDER_DEPLOY_HOOK_URL }}"

Add RENDER_DEPLOY_HOOK_URL as GitHub secret (from Render service settings).

Step 5: Remove Render Git Connection

Once image-based deploys work, disconnect the Git repo to prevent Render from triggering builds.

Security Notes

• Private GHCR image hides built artifacts from public inspection
• .env.production with Grafana URLs is still in public source code
• Fork PRs cannot push to private packages (uses GITHUB_TOKEN)

References

• GitHub Container Registry Docs
• Render: Deploy a Prebuilt Docker Image
• GitHub Package Visibility