feat: Add autotag for automatic semantic versioning

#minor

Pipeline now automatically creates version tags after successful tests:
- Uses autotag to determine version bump from commit messages
- #major in commit = major version bump
- #minor in commit = minor version bump
- Default = patch version bump
- Tag push triggers registry push and CD update

Flow:
1. Push to main → lint → build → test → security-scan → autotag
2. Autotag creates v*.*.* tag → triggers new workflow
3. Tag workflow → push to registry → update-cd

.gitea/workflows/build.yaml

@@ -131,11 +131,78 @@ jobs:
               exit 1
             }
 
-  # Stage 5: Push to registry
+  # Stage 5: Auto-tag (only on main branch, not on tags or PRs)
+  autotag:
+    runs-on: ubuntu-latest
+    needs: [test, security-scan]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    outputs:
+      new_tag: ${{ steps.autotag.outputs.new_tag }}
+      version: ${{ steps.autotag.outputs.version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Need full history for autotag
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Run autotag
+        id: autotag
+        run: |
+          # Download autotag
+          AUTOTAG_VERSION="1.3.9"
+          curl -sL "https://github.com/autotag-dev/autotag/releases/download/v${AUTOTAG_VERSION}/autotag_linux_amd64" -o /tmp/autotag
+          chmod +x /tmp/autotag
+
+          # Get current version
+          CURRENT_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
+          echo "Current tag: $CURRENT_TAG"
+
+          # Calculate next version based on commits
+          # autotag looks for #major, #minor in commit messages, defaults to patch
+          NEW_TAG=$(/tmp/autotag -n -b main 2>/dev/null || echo "")
+
+          if [ -z "$NEW_TAG" ]; then
+            echo "No new tag needed or autotag failed, using fallback"
+            # Fallback: increment patch version
+            CURRENT_VERSION="${CURRENT_TAG#v}"
+            MAJOR=$(echo $CURRENT_VERSION | cut -d. -f1)
+            MINOR=$(echo $CURRENT_VERSION | cut -d. -f2)
+            PATCH=$(echo $CURRENT_VERSION | cut -d. -f3)
+            NEW_PATCH=$((PATCH + 1))
+            NEW_TAG="v${MAJOR}.${MINOR}.${NEW_PATCH}"
+          fi
+
+          echo "New tag will be: $NEW_TAG"
+          echo "new_tag=$NEW_TAG" >> $GITHUB_OUTPUT
+          echo "version=${NEW_TAG#v}" >> $GITHUB_OUTPUT
+
+      - name: Create and push tag
+        run: |
+          NEW_TAG="${{ steps.autotag.outputs.new_tag }}"
+
+          # Check if tag already exists
+          if git rev-parse "$NEW_TAG" >/dev/null 2>&1; then
+            echo "Tag $NEW_TAG already exists, skipping"
+            exit 0
+          fi
+
+          echo "Creating tag: $NEW_TAG"
+          git tag -a "$NEW_TAG" -m "Release $NEW_TAG (auto-generated)"
+          git push origin "$NEW_TAG"
+          echo "Successfully pushed tag: $NEW_TAG"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Stage 6: Push to registry (only on tags)
   push:
     runs-on: ubuntu-latest
     needs: [test, security-scan]
-    if: github.event_name != 'pull_request'
+    if: startsWith(github.ref, 'refs/tags/v')
     outputs:
       version: ${{ steps.version.outputs.VERSION }}
       full_image: ${{ steps.version.outputs.FULL_IMAGE }}
@@ -153,16 +220,12 @@ jobs:
       - name: Determine version and tags
         id: version
         run: |
-          if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
-            VERSION="${GITHUB_REF#refs/tags/v}"
-            # For releases, tag with version, major.minor, and latest
-            MAJOR=$(echo $VERSION | cut -d. -f1)
-            MINOR=$(echo $VERSION | cut -d. -f2)
-            TAGS="${VERSION},${MAJOR}.${MINOR},latest"
-          else
-            VERSION="$(echo "$GITHUB_SHA" | cut -c1-7)"
-            TAGS="${VERSION},latest"
-          fi
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          # For releases, tag with version, major.minor, and latest
+          MAJOR=$(echo $VERSION | cut -d. -f1)
+          MINOR=$(echo $VERSION | cut -d. -f2)
+          TAGS="${VERSION},${MAJOR}.${MINOR},latest"
+
           echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
           echo "TAGS=$TAGS" >> $GITHUB_OUTPUT
           echo "FULL_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}" >> $GITHUB_OUTPUT
@@ -184,11 +247,11 @@ jobs:
         if: always()
         run: docker logout ${{ env.REGISTRY }} || true
 
-  # Stage 6: Update CD pipeline (trigger deployment)
+  # Stage 7: Update CD pipeline (trigger deployment)
   update-cd:
     runs-on: ubuntu-latest
     needs: push
-    if: github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Trigger CD pipeline
         run: |