Migrate deploy workflow to appleboy/ssh-action

- .gitea/workflows/deploy.yml: replace manual ssh key setup + raw ssh
  command with the appleboy/ssh-action@v1.0.0 action
- host, user, key and deploy path are now read from Gitea secrets
  (SSH_HOST, SSH_USER, SSH_PRIVATE_KEY, DEPLOY_PATH) instead of being
  hard-coded in the workflow
- ansible-playbook command and vault password file (process substitution
  fed by ANSIBLE_VAULT_PASSWORD) are kept identical, only the transport
  changes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -9,12 +9,12 @@ jobs:
   deploy:
     runs_on: ubuntu-latest
     steps:
-      - name: Setup SSH key
-        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan 152.228.222.133 >> ~/.ssh/known_hosts
-
-      - name: Deploy
-        run: ssh bot@152.228.222.133 "cd /var/www/e-ticket && ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file <(echo '${{ secrets.ANSIBLE_VAULT_PASSWORD }}')"
+      - name: Deploy with SSH
+        uses: appleboy/ssh-action@v1.0.0
+        with:
+          host: ${{ secrets.SSH_HOST }}
+          username: ${{ secrets.SSH_USER }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          port: 22
+          script: |
+            cd ${{ secrets.DEPLOY_PATH }} && ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file <(echo '${{ secrets.ANSIBLE_VAULT_PASSWORD }}')