fix: restore shared production env during deploy

deploy/README.md

@@ -5,6 +5,7 @@ This repo includes `.gitea/workflows/ci-deploy.yml` for:
 - backend build
 - backend tests
 - frontend tests
+- frontend production build
 - deployment to Ubuntu after successful tests on `main`
 
 ### Required secrets in Gitea
@@ -16,13 +17,24 @@ This repo includes `.gitea/workflows/ci-deploy.yml` for:
 Recommended app path:
 - `/opt/job-tracker/app`
 
+Persistent runtime secrets path:
+- `/opt/job-tracker/shared/.env`
+
 Requirements:
 - Docker Engine
 - Docker Compose plugin
 - reverse proxy in front (Nginx, Caddy, or Traefik)
-- `.env` file present on server in `/opt/job-tracker/app/.env`
+- shared env file present on server in `/opt/job-tracker/shared/.env`
 - network connectivity from the backend container to your `mariadb` container/service
 
+The deploy script will automatically create a symlink from:
+- `/opt/job-tracker/shared/.env`
+
+to:
+- `/opt/job-tracker/app/.env`
+
+This keeps secrets outside the uploaded repo checkout so they are not wiped by CI deploys.
+
 ### Example production `.env`
 ```env
 DATABASE_PROVIDER=mariadb
@@ -62,7 +74,7 @@ If this app is going to be a real production service on Ubuntu:
 1. push to `main`
 2. Gitea Actions runs tests
 3. if green, workflow uploads repo to server
-4. `deploy/deploy.sh` runs `docker compose build && docker compose up -d`
+4. `deploy/deploy.sh` links `/opt/job-tracker/shared/.env` into the repo checkout, then runs `docker compose build && docker compose up -d`
 5. workflow checks service status after deployment
 
 ## Post-deploy verification you should also do manually the first time