ci(deploy): mirror web build to pex.mom for geo-redundancy

Split monolithic deploy job into bump-version + deploy-app + deploy-pex.
Both deploys run in parallel from same build artifact, independent
secrets per VPS. If one country blocks a domain, the other VPS keeps
serving the same version.

- bump-version: single source of version bump, runs before both deploys
- deploy-app: existing target /var/www/subdomains/app on DEV VPS
- deploy-pex: new target /var/www/pex.mom on VPS3 (217.77.6.126)

Requires secrets: VPS_PEX_HOST, VPS_PEX_USER, VPS_PEX_SSH_KEY, VPS_PEX_SSH_PORT

.github/workflows/quality-gate.yml

@@ -75,13 +75,15 @@ jobs:
           path: web/dist/
 
   # ========================================
-  # DEPLOY WEB APP TO VPS
+  # VERSION BUMP (RUNS BEFORE BOTH DEPLOYS)
   # ========================================
-  deploy:
+  bump-version:
-    name: Deploy Web
+    name: Bump Version
     runs-on: ubuntu-latest
     needs: [web, security-audit]
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    outputs:
+      new_version: ${{ steps.bump.outputs.version }}
 
     steps:
       - name: Checkout code
@@ -101,23 +103,34 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
       - name: Bump version
+        id: bump
         working-directory: ./web
         run: |
           npm version patch --no-git-tag-version
           VERSION=$(node -p "require('./package.json').version")
-          echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
           cd ..
           git add web/package.json
           git commit -m "chore(web): bump version to $VERSION [skip ci]" || echo "No version change"
           git push || echo "Nothing to push"
 
+  # ========================================
+  # DEPLOY TO app.pezkuwichain.io (DEV VPS)
+  # ========================================
+  deploy-app:
+    name: Deploy app.pezkuwichain.io
+    runs-on: ubuntu-latest
+    needs: [bump-version]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+
+    steps:
       - name: Download build artifact
         uses: actions/download-artifact@v4
         with:
           name: web-dist
           path: dist/
 
-      - name: Deploy to VPS
+      - name: Deploy to DEV VPS
         uses: appleboy/scp-action@v1.0.0
         with:
           host: ${{ secrets.VPS_HOST }}
@@ -130,7 +143,38 @@ jobs:
 
       - name: Post-deploy notification
         run: |
-          echo "✅ Deployed web app v${{ env.NEW_VERSION }} to app.pezkuwichain.io"
+          echo "✅ Deployed v${{ needs.bump-version.outputs.new_version }} to app.pezkuwichain.io"
+
+  # ========================================
+  # DEPLOY TO pex.mom (VPS3 — geo-redundant mirror)
+  # ========================================
+  deploy-pex:
+    name: Deploy pex.mom
+    runs-on: ubuntu-latest
+    needs: [bump-version]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+
+    steps:
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: web-dist
+          path: dist/
+
+      - name: Deploy to VPS3
+        uses: appleboy/scp-action@v1.0.0
+        with:
+          host: ${{ secrets.VPS_PEX_HOST }}
+          username: ${{ secrets.VPS_PEX_USER }}
+          key: ${{ secrets.VPS_PEX_SSH_KEY }}
+          port: ${{ secrets.VPS_PEX_SSH_PORT || 22 }}
+          source: 'dist/*'
+          target: '/var/www/pex.mom'
+          strip_components: 1
+
+      - name: Post-deploy notification
+        run: |
+          echo "✅ Deployed v${{ needs.bump-version.outputs.new_version }} to pex.mom"
 
   # ========================================
   # SECURITY CHECKS (BLOCKING)