continuous deploy - service account and gitea workflow

README.md

@@ -10,8 +10,9 @@ Using [NextCloud](https://nextcloud.com/)
   - [preview generator](#preview-generator)
   - [repair tree](#repair-tree)
   - [delete file locks](#delete-file-locks)
-- [Setup](#setup)
-- [Requirements - infra](#requirements---infra)
+- [Setup and Deploy](#setup-and-deploy)
+  - [App](#app)
+  - [Infra](#infra)
 - [mariadb database](#mariadb-database)
 
 ## command
@@ -61,21 +62,45 @@ su -s /bin/bash www-data -c "php occ files:repair-tree"
  DELETE FROM oc_file_locks WHERE 1;
 ```
 
-## Setup
+## Setup and Deploy
 
-- deploy mariadb
-- nextcloud helm chart
+### App
+
+**Security context:**
+
+This script is intended to be executed only by low‑privilege deployment identities, such as the **continuous‑deploy** ServiceAccount or an application maintainer with equivalent permissions.
 
 ```bash
 ./ops-scripts/apply-app.sh
 ```
 
-## Requirements - infra
+**Responsibilities:**
+
+- Database deployment
+- Persistent Volume Claims (storage.limbosolutions.com)
+- Nextcloud Helm chart deployment
+- Backup job deployment
+
+**Requirements:**
+
+- [infra](#infra)
+
+### Infra
+
+**Security context:**
+This script requires elevated cluster‑level permissions and must be executed only by platform maintainers, not by the continuous‑deploy identity.
 
 ```bash
 ./ops-scripts/apply-infra.sh
 ```
 
+**Responsibilities:**
+
+- Ingress controller deployment
+- Persistent storage provisioning (storage.limbosolutions.com)
+- services accounts:
+  - Continuous deploy - Deployment RBAC (ServiceAccount + Role + RoleBinding)
+
 ## mariadb database
 
 **Connect to maria db:**