feat(ci): run dalpuri CW-to-API sync as a k8s Job before deploy

The CW MSSQL and API Postgres addresses are internal to the cluster and
unreachable from GitHub-hosted runners, so the sync must run inside k8s.

- Add dalpuri-sync Docker stage to api/Dockerfile: installs deps,
  generates both Prisma clients, and runs dalpuri/src/sync.ts
- Add dalpuri/kubernetes/sync-job.yaml: mounts api-env-secret (which
  already contains CW_DATABASE_URL) and maps DATABASE_URL -> API_DATABASE_URL
- build-api job now also pushes optima-dalpuri-sync:TAG image
- sync-cw-to-api CI job replaced with kubectl apply/wait pattern,
  needs [build-api, build-worker], blocks deploy-api and deploy-worker

.github/workflows/deploy.yaml

@@ -130,6 +130,17 @@ jobs:
             ghcr.io/horizonstacksoftware/optima-api-migrate:latest
             ghcr.io/horizonstacksoftware/optima-api-migrate:${{ github.event.release.tag_name }}
 
+      - name: Build and push the dalpuri sync image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: api/Dockerfile
+          push: true
+          target: dalpuri-sync
+          tags: |
+            ghcr.io/horizonstacksoftware/optima-dalpuri-sync:latest
+            ghcr.io/horizonstacksoftware/optima-dalpuri-sync:${{ github.event.release.tag_name }}
+
   build-worker:
     name: Build - Worker
     needs: [test-api, test-dalpuri, test-ui]
@@ -276,6 +287,55 @@ jobs:
           files: |
             ui/out/make/**/*.exe
 
+  # Runs a full CW → API data sync as a Kubernetes Job (the CW MSSQL and
+  # API Postgres addresses are internal to the cluster and unreachable from
+  # GitHub-hosted runners).  Waits for both images to be built first and
+  # must succeed before either the API or worker deploys.
+  sync-cw-to-api:
+    name: Sync - CW to API
+    needs: [build-api, build-worker]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set the Kubernetes context
+        uses: azure/k8s-set-context@v2
+        with:
+          method: kubeconfig
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Delete previous sync job if exists
+        run: kubectl delete job -n optima -l app=dalpuri-sync --ignore-not-found
+
+      - name: Apply sync job
+        run: |
+          TAG=${{ github.event.release.tag_name }}
+          sed "s/RELEASE_TAG/${TAG}/g" dalpuri/kubernetes/sync-job.yaml | kubectl apply -f -
+
+      - name: Wait for sync to complete
+        run: |
+          TAG=${{ github.event.release.tag_name }}
+          JOB="job/dalpuri-sync-${TAG}"
+
+          kubectl wait --for=condition=complete --timeout=1800s -n optima "$JOB" &
+          WAIT_COMPLETE=$!
+          kubectl wait --for=condition=failed --timeout=1800s -n optima "$JOB" &
+          WAIT_FAILED=$!
+
+          wait -n $WAIT_COMPLETE $WAIT_FAILED
+
+          echo "--- Sync job logs ---"
+          kubectl logs -n optima "$JOB" --tail=500 || true
+
+          if kubectl get -n optima "$JOB" -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}' | grep -q "True"; then
+            echo "Sync completed successfully."
+            exit 0
+          else
+            echo "Sync FAILED."
+            exit 1
+          fi
+
   # ==========================================================================
   # Deploy jobs
   # ==========================================================================
@@ -332,7 +392,7 @@ jobs:
 
   deploy-api:
     name: Deploy - API
-    needs: [migrate-api]
+    needs: [migrate-api, sync-cw-to-api]
     runs-on: ubuntu-latest
     steps:
       - name: Set the Kubernetes context
@@ -402,7 +462,7 @@ jobs:
 
   deploy-worker:
     name: Deploy - Worker
-    needs: [build-worker]
+    needs: [build-worker, sync-cw-to-api]
     runs-on: ubuntu-latest
     steps:
       - name: Set the Kubernetes context