ci: add auto-deploy to S1+S2 via rsync after merge to main

Adds new "deploy" job in .gitea/workflows/ci.yml that runs on push
to main (after PR is merged). Builds production bundle and rsyncs
it to /var/www/rublox-player/build/ on both production servers
(S1 VM 124 via NAT 1998, S2 VM 124 directly via runner network).

Uses Gitea Secrets:
  - DEPLOY_SSH_KEY: dedicated ed25519 key for CI, pubkey already
    on ~min/.ssh/authorized_keys on both VM 124
  - KNOWN_HOSTS: host-keys of both targets to prevent MITM

Also updates CONTRIBUTING.md:
  - Maintainer workflow section explaining why even Lead works via PR
  - Hotfix flow (always via PR, never direct push to main)
  - DevPanel as fallback if CI deploy is broken

.gitea/workflows/ci.yml

@@ -41,9 +41,11 @@ jobs:
       - run: npm ci
       - run: npm run build
       - name: Save build size
+        # set -o pipefail (default Gitea Actions) валит step при SIGPIPE
+        # от head. Делаем команды непадающими через || true.
         run: |
-          du -sh build/
-          ls -la build/assets/ | head -10
+          du -sh build/ || true
+          ls -la build/assets/ 2>/dev/null | head -10 || true
 
   secret-scan:
     name: Secret scan