ci(windows): add always-runs revert job that rolls the VM back to gold

Calls the host's testing-revert HTTP endpoint after windows-test (whether
it passed or failed), so every CI run starts from the gold snapshot.

.forgejo/workflows/ci.yml

@@ -68,3 +68,25 @@ jobs:
           sshpass -e ssh -o StrictHostKeyChecking=no \
             -p "$WIN_PORT" "$WIN_USER@$WIN_HOST" \
             "echo TODO: run actual test command here"
+
+  # Always-runs cleanup: rolls the VM back to the gold snapshot on the host.
+  # In a separate job so it fires even when windows-test crashes mid-step.
+  revert-vm:
+    runs-on: docker
+    needs: [windows-test]
+    if: always()
+    steps:
+      - name: Install client tools
+        run: |
+          apt-get update -qq
+          apt-get install -y -qq curl iproute2
+
+      - name: Trigger revert on host
+        env:
+          REVERT_TOKEN: ${{ secrets.REVERT_TOKEN }}
+        run: |
+          GW=$(ip route | awk '/default/ {print $3; exit}')
+          echo "calling revert endpoint at $GW:8765"
+          curl -fsSL --max-time 90 -X POST \
+            -H "Authorization: Bearer $REVERT_TOKEN" \
+            "http://$GW:8765/revert"