feat(release): auto-trigger Render demo deploy after container push

Add trigger-demo-deploy job to cd-release workflow that POSTs to
Render deploy hook when TimeTrackerDemoRender org secret is set.
Runs after build-and-push; skips gracefully if secret is not
configured. Include demo deploy status in release summary.

Document in RENDER.md, CI_CD_DOCUMENTATION.md, and
GITHUB_ACTIONS_SETUP.md.

.github/workflows/cd-release.yml

@@ -1213,13 +1213,42 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         continue-on-error: false
 
+  # ============================================================================
+  # Trigger Demo Site Deploy (Render)
+  # ============================================================================
+  trigger-demo-deploy:
+    name: Trigger Demo Deploy
+    runs-on: ubuntu-latest
+    needs: [build-and-push]
+    continue-on-error: true
+    timeout-minutes: 2
+    
+    steps:
+      - name: Trigger Render deploy hook
+        env:
+          RENDER_DEPLOY_HOOK_URL: ${{ secrets.TimeTrackerDemoRender }}
+        run: |
+          if [ -z "$RENDER_DEPLOY_HOOK_URL" ]; then
+            echo "⚠️ TimeTrackerDemoRender secret not configured - skipping demo deploy"
+            exit 0
+          fi
+          echo "🚀 Triggering Render deploy hook for demo site..."
+          HTTP_CODE=$(curl -s -o /tmp/render-response.txt -w "%{http_code}" -X POST "$RENDER_DEPLOY_HOOK_URL")
+          if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
+            echo "✅ Render deploy triggered successfully (HTTP $HTTP_CODE)"
+          else
+            echo "❌ Render deploy hook returned HTTP $HTTP_CODE"
+            cat /tmp/render-response.txt || true
+            exit 1
+          fi
+
   # ============================================================================
   # Post-Release Summary
   # ============================================================================
   release-summary:
     name: Release Summary
     runs-on: ubuntu-latest
-    needs: [security-audit, build-and-push, determine-version, create-release, build-desktop-windows, build-desktop-linux, build-desktop-macos, build-mobile-android, build-mobile-ios]
+    needs: [security-audit, build-and-push, determine-version, create-release, trigger-demo-deploy, build-desktop-windows, build-desktop-linux, build-desktop-macos, build-mobile-android, build-mobile-ios]
     if: always()
     
     steps:
@@ -1231,6 +1260,7 @@ jobs:
           echo "- ✅ Security: ${{ needs.security-audit.result }}" >> $GITHUB_STEP_SUMMARY
           echo "- ✅ Docker Build: ${{ needs.build-and-push.result }}" >> $GITHUB_STEP_SUMMARY
           echo "- ✅ Release: ${{ needs.create-release.result }}" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Demo Deploy: ${{ needs.trigger-demo-deploy.result }}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Desktop Applications" >> $GITHUB_STEP_SUMMARY
           if [ "${{ needs.build-desktop-windows.result }}" == "success" ]; then

docs/cicd/CI_CD_DOCUMENTATION.md

@@ -257,7 +257,8 @@ ghcr.io/{owner}/{repo}:dev-abc1234
    - Semantic version tags
    - `latest`
    - `stable`
-6. **Create GitHub release** with:
+6. **Trigger demo deploy** (optional): if the `TimeTrackerDemoRender` organization secret is set to a Render deploy hook URL, the workflow POSTs to it so the demo site redeploys with the new image.
+7. **Create GitHub release** with:
    - Changelog
    - Deployment manifests
    - Docker compose files
@@ -412,6 +413,7 @@ Optional secrets:
 - `SLACK_WEBHOOK` - For Slack notifications
 - `DOCKER_HUB_USERNAME` - If publishing to Docker Hub
 - `DOCKER_HUB_TOKEN` - If publishing to Docker Hub
+- `TimeTrackerDemoRender` - (Organization secret) Render deploy hook URL; when set, the release workflow triggers a redeploy of the demo site after pushing the new container
 
 ### Environment Variables
 

docs/cicd/GITHUB_ACTIONS_SETUP.md

@@ -113,6 +113,7 @@ on:
 - Determines semantic version
 - Builds multi-platform images
 - Publishes with multiple tags
+- Triggers Render demo deploy (if `TimeTrackerDemoRender` org secret is set)
 - Creates GitHub release
 - Generates changelog
 - Includes deployment manifests (Docker Compose + Kubernetes)

docs/deploy/RENDER.md

@@ -20,6 +20,16 @@ The Blueprint uses the **pre-built Docker image** from GitHub Container Registry
 
 To deploy a new version, push to `main` or create a release so GitHub Actions builds and pushes a new image, then in Render trigger a **Manual Deploy** (or use a deploy hook) to pull the updated image.
 
+### Automatic demo deploy via release workflow
+
+If you host a demo site on Render, the release workflow can automatically trigger a redeploy when a new container is published. Configure:
+
+1. In Render: open your demo Web Service → **Settings** → **Deploy Hook** and copy the deploy hook URL.
+2. In GitHub: add an **organization secret** named `TimeTrackerDemoRender` with the deploy hook URL as the value. Grant your TimeTracker repository access to this secret (Organization Settings → Secrets and variables → Actions → Repository access).
+3. On each release (push to `main`, tag, or manual dispatch), after the Docker image is built and pushed, the workflow sends a POST request to the deploy hook. Render will pull the new image and redeploy your demo site.
+
+If the secret is not set, the workflow skips the deploy trigger and the release completes normally.
+
 ## Environment variables
 
 The blueprint sets: