ops: document deploy secrets and enforce main branch protection

docs/DEPLOY_CLOUDFLARE.md

@@ -5,18 +5,16 @@ This repo deploys `https://every.channel` via Wrangler.
 ## Prereqs
 
 - Forgejo Actions enabled on the repo.
-- A Cloudflare API token stored as a Forgejo Actions secret:
-  - name: `CLOUDFLARE_API_TOKEN`
+- Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to the SSH private key used to decrypt repo-encrypted age secrets.
+- `secrets/cloudflare-api-token.age` present in-repo and decryptable by `AGE_FORGE_SSH_KEY`.
 
-The workflow is defined in `.forgejo/workflows/deploy-cloudflare.yml`.
+CI and deploy workflows:
+
+- PR/main checks: `.forgejo/workflows/ci-gates.yml`
+- Deploy (main only, depends on checks): `.forgejo/workflows/deploy-cloudflare.yml`
 
 ## Manual deploy (local)
 
 ```sh
-cd apps/tauri/ui
-trunk build --release --public-url /
-
-cd deploy/cloudflare-worker
-npm ci
-npm run deploy
+./scripts/deploy-workers.sh
 ```