Pass ansible vault password via env var instead of process substitution

- .gitea/workflows/deploy.yml: stop interpolating ANSIBLE_VAULT_PASSWORD
  directly into the remote script (the runner masks the secret with ***
  which broke the <(echo '...') process substitution at runtime)
- inject the password as VAULT_PASS through appleboy/ssh-action's
  envs: forwarding so it never appears in the rendered script
- on the remote, write it to a mktemp file with chmod 600 and remove
  the file via trap on EXIT, then point ansible-playbook
  --vault-password-file at that temp file
- use printf '%s' instead of echo to avoid adding a stray newline to
  the vault password
- add set -e so the script fails fast if any step errors

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -11,10 +11,19 @@ jobs:
     steps:
       - name: Deploy with SSH
         uses: appleboy/ssh-action@v1.0.0
+        env:
+          VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
         with:
           host: ${{ secrets.SSH_HOST }}
           username: ${{ secrets.SSH_USER }}
           key: ${{ secrets.SSH_PRIVATE_KEY }}
           port: 22
+          envs: VAULT_PASS
           script: |
-            cd ${{ secrets.DEPLOY_PATH }} && ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file <(echo '${{ secrets.ANSIBLE_VAULT_PASSWORD }}')
+            set -e
+            cd ${{ secrets.DEPLOY_PATH }}
+            VAULT_FILE="$(mktemp)"
+            trap 'rm -f "$VAULT_FILE"' EXIT
+            printf '%s' "$VAULT_PASS" > "$VAULT_FILE"
+            chmod 600 "$VAULT_FILE"
+            ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE"