The deploy jobs used appleboy/ssh-action, a remote `uses:` action that
races on home-runner-1's shared /root/.cache/act/<hash> exactly like the
build actions did — which is why 8 concurrent game deploys all failed
("worktree contains unstaged changes" / no repo on the box). Replace all
4 ssh-action steps with inline `ssh`/`scp` so the deploy jobs pull no
remote action at runtime; concurrent multi-game deploys are now safe.
Also harden the secrets write: validate BUILD_ENV/provisioner-password
are non-empty, and push them as FILES via scp so `docker compose up` can
never auto-create a missing bind-mount source as a root-owned directory
(the "is a directory" cert-init failure we hit on rememed/cms). The
registry token is handed over via a transient 0600 file (out of process
args and the run log) instead of inline in the script.
enricobuehler
8dc5812f1b