ci: use ssh-agent with dedicated deploy key (no passphrase)

.gitea/workflows/deploy-qa.yml

@@ -59,17 +59,13 @@ jobs:
           set -euo pipefail
           IMAGE_TAG="${{ needs.build-and-push.outputs.image_tag }}"
 
-          echo "${{ secrets.DEPLOY_SSH_KEY_B64 }}" | base64 -d > /tmp/deploy_key
-          chmod 600 /tmp/deploy_key
-          echo "${{ secrets.DEPLOY_PASSPHRASE }}" > /tmp/passphrase
-
-          sudo apt-get update -qq && sudo apt-get install -y -qq sshpass
+          eval $(ssh-agent -s)
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" | ssh-add -
 
+          mkdir -p ~/.ssh
           ssh-keyscan -H ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
 
-          sshpass -f /tmp/passphrase ssh -i /tmp/deploy_key \
-            -o StrictHostKeyChecking=no \
-            ${{ secrets.DEPLOY_USERNAME }}@${{ secrets.DEPLOY_HOST }} bash -s \
+          ssh ${{ secrets.DEPLOY_USERNAME }}@${{ secrets.DEPLOY_HOST }} bash -s \
             -e REGISTRY_URL=${{ env.REGISTRY_URL }} \
             -e IMAGE_NAME=${{ env.IMAGE_NAME }} \
             -e IMAGE_TAG=${IMAGE_TAG} \