docs: add optional Portainer webhook auto-deploy to CI/CD guide

Document the pattern for triggering Portainer stack redeploy
after docker push, with graceful skip when webhook is not configured.

gitea-python-ci-cd.md

@@ -556,10 +556,41 @@ CMD ["uvicorn", "your_package.main:app", "--host", "0.0.0.0", "--port", "8080"]
 - name: Push
   if: steps.docker-login.outcome == 'success'
   run: docker push "$REGISTRY" --all-tags
+
+- name: Trigger Portainer redeploy
+  if: steps.docker-login.outcome == 'success'
+  continue-on-error: true  # Optional — webhook may not be configured
+  run: |
+    if [ -n "${{ secrets.PORTAINER_WEBHOOK_URL }}" ]; then
+      echo "Triggering Portainer redeploy..."
+      curl -sf -X POST "${{ secrets.PORTAINER_WEBHOOK_URL }}" \
+        --max-time 30 || echo "::warning::Portainer webhook failed"
+    else
+      echo "PORTAINER_WEBHOOK_URL not set — skipping auto-deploy"
+    fi
 ```
 
 **Registry URL pattern:** `{gitea-host}/{owner}/{repo}:{tag}`
 
+### Auto-Deploy via Portainer Webhook (Optional)
+
+Portainer can automatically redeploy a stack/service when a new image is pushed.
+Each stack has its own unique webhook URL generated in the Portainer UI.
+
+**Setup:**
+
+1. In Portainer, open your stack → **Webhooks** → enable and copy the URL
+2. In Gitea, go to repo **Settings → Secrets** → add `PORTAINER_WEBHOOK_URL`
+3. The CI step above calls the webhook after `docker push` — Portainer pulls
+   the new image and recreates the container
+
+**Notes:**
+
+- The webhook URL itself acts as authentication — no extra token needed
+- The step uses `continue-on-error: true` so missing webhooks don't fail the build
+- Each service/stack gets its own webhook — one secret per repo
+- If `PORTAINER_WEBHOOK_URL` is not set, the step is silently skipped
+
 ### Docker Network on TrueNAS
 
 If Docker builds fail with `route for the gateway 0.0.0.1 could not be found: network is unreachable`, the Docker address pool is misconfigured. In TrueNAS 25.10+: