fix: add Stripe secrets to CI/CD and build configuration (refs #55)

- Add VITE_STRIPE_PUBLISHABLE_KEY to frontend Dockerfile build args
- Add VITE_STRIPE_PUBLISHABLE_KEY to docker-compose.yml build args
- Add :ro flag to backend Stripe secret volume mounts for consistency
- Update inject-secrets.sh with STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET
- Add Stripe secrets to staging.yaml workflow (build arg + inject step)
- Add Stripe secrets to production.yaml workflow (inject step)

Requires STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET secrets and
VITE_STRIPE_PUBLISHABLE_KEY variable to be configured in Gitea.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/inject-secrets.sh

@@ -15,6 +15,8 @@
 #   - GOOGLE_MAPS_MAP_ID
 #   - CF_DNS_API_TOKEN
 #   - RESEND_API_KEY
+#   - STRIPE_SECRET_KEY
+#   - STRIPE_WEBHOOK_SECRET
 
 set -euo pipefail
 
@@ -32,6 +34,8 @@ SECRET_FILES=(
     "google-maps-map-id.txt"
     "cloudflare-dns-token.txt"
     "resend-api-key.txt"
+    "stripe-secret-key.txt"
+    "stripe-webhook-secret.txt"
 )
 
 echo "Injecting secrets..."
@@ -99,6 +103,8 @@ inject_secret "GOOGLE_MAPS_API_KEY" "google-maps-api-key.txt" || FAILED=1
 inject_secret "GOOGLE_MAPS_MAP_ID" "google-maps-map-id.txt" || FAILED=1
 inject_secret "CF_DNS_API_TOKEN" "cloudflare-dns-token.txt" || FAILED=1
 inject_secret "RESEND_API_KEY" "resend-api-key.txt" || FAILED=1
+inject_secret "STRIPE_SECRET_KEY" "stripe-secret-key.txt" || FAILED=1
+inject_secret "STRIPE_WEBHOOK_SECRET" "stripe-webhook-secret.txt" || FAILED=1
 
 if [ $FAILED -eq 1 ]; then
     echo ""