feat(demo): automate OCI deployment via GitHub Actions

- Add deploy-demo.yml workflow: SSH deploy on push to main/public_demo,
  auto-downloads fixtures if absent, rebuilds and restarts the stack
- Add reset_demo.sh: wipes postgres/redis/media volumes, preserves
  caddy_data/caddy_config to avoid Let's Encrypt rate limits
- Update docker-compose.demo.yml: add restart policies, make
  REQUESTS_CA_BUNDLE/CURL_CA_BUNDLE variable-substituted for OCI vs. local dev
- Update .env.demo.example: add CA bundle section defaulting to system bundle
- Update demo-commands.sh: also read COMPOSE_FILE from .env
- Update DEMO_DEPLOY.md: full OCI deployment guide replacing Fly.io content,
  add automated deploy notes and local testing variable table

Author: jat255

.github/workflows/deploy-demo.yml

@@ -0,0 +1,44 @@
+name: Deploy Demo
+
+on:
+  push:
+    branches: ["main", "public_demo"]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: demo
+
+    steps:
+      - name: Deploy to OCI demo server
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ vars.DEMO_SSH_HOST }}
+          username: ubuntu
+          key: ${{ secrets.DEMO_SSH_KEY }}
+          script: |
+            set -e
+            cd /opt/nexuslims-cdcs
+
+            echo "=== Pulling latest code (branch: ${{ github.ref_name }}) ==="
+            git fetch origin
+            git checkout ${{ github.ref_name }}
+            git pull origin ${{ github.ref_name }}
+
+            echo "=== Downloading fixtures (if absent) ==="
+            cd deployment
+            if [ ! -d "fixtures/demo_data/nx-data" ]; then
+              ./scripts/manage-demo-fixtures.sh download
+            else
+              echo "  Fixtures already present, skipping download"
+            fi
+
+            echo "=== Building CDCS container ==="
+            export COMPOSE_FILE="docker-compose.base.yml:docker-compose.demo.yml"
+            COMPOSE_BAKE=true docker compose build cdcs
+
+            echo "=== Restarting stack ==="
+            docker compose down
+            docker compose up -d
+
+            echo "=== Deploy complete ==="

deployment/.env.demo.example

@@ -75,6 +75,16 @@ NX_INSTRUMENT_DATA_PATH=/srv/nx-instrument-data
 # docker-compose.demo.yml mounts these from deployment/fixtures/demo_data/
 # (no need to set host paths here - the compose override handles it)
 
+# ----------------------------------------------------------------------------
+# CA Bundle for outbound HTTPS from within the container
+# ----------------------------------------------------------------------------
+# OCI / Let's Encrypt: use the system bundle
+REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+# Local dev with Caddy local CA: comment the two lines above and uncomment:
+# REQUESTS_CA_BUNDLE=/etc/ssl/certs/caddy-root-ca.crt
+# CURL_CA_BUNDLE=/etc/ssl/certs/caddy-root-ca.crt
+
 # ----------------------------------------------------------------------------
 # XSLT Configuration
 # ----------------------------------------------------------------------------