ci: serialise les deploys + secrets via env, SSH robuste

- concurrency group deploy-xip-prod (evite la course docker compose --build)
- passe HOST/USER/KEY par env (cle multi-ligne preservee)
- SSH sans known_hosts (StrictHostKeyChecking=no)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -7,20 +7,29 @@ on:
     branches: [main]
   workflow_dispatch:
 
+# Serialize deploys: never run two deploys against the CT at the same time
+# (concurrent `docker compose up --build` on the same project races and fails).
+concurrency:
+  group: deploy-xip-prod
+  cancel-in-progress: false
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - name: Set up SSH
+      - name: Deploy over SSH to xip-app
+        env:
+          # Secrets via env (not inlined in the script) so the multi-line key
+          # keeps its newlines and never breaks shell quoting.
+          DEPLOY_HOST: ${{ secrets.XIP_DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.XIP_DEPLOY_USER }}
+          DEPLOY_KEY: ${{ secrets.XIP_DEPLOY_KEY }}
         run: |
+          set -e
           command -v ssh >/dev/null 2>&1 || (apt-get update && apt-get install -y --no-install-recommends openssh-client)
           mkdir -p ~/.ssh
-          printf '%s\n' "${{ secrets.XIP_DEPLOY_KEY }}" > ~/.ssh/id_ed25519
+          printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan -H "${{ secrets.XIP_DEPLOY_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null || true
-
-      - name: Deploy over SSH
-        run: |
-          ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=no \
-            "${{ secrets.XIP_DEPLOY_USER }}@${{ secrets.XIP_DEPLOY_HOST }}" \
-            'bash /opt/xip/scripts/deploy.sh'
+          ssh -i ~/.ssh/id_ed25519 \
+            -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+            "$DEPLOY_USER@$DEPLOY_HOST" 'bash /opt/xip/scripts/deploy.sh'