Mirror played/workflows build-deploy-game.yml so a freshly provisioned
unom-1 box self-installs the website repo on first deploy instead of
failing on a missing ~/unom-website checkout.
Before `cd ~/unom-website` the remote ssh script now:
- installs git if absent (deploy user has NOPASSWD sudo)
- clones the repo if ~/unom-website/.git is missing, reusing the
existing REGISTRY_USER / REGISTRY_TOKEN secrets
Registry creds are passed into the remote shell via appleboy/ssh-action
`envs:` and consumed from the environment (docker login now uses
--password-stdin), so the token is never interpolated into the script
text / run log / process args.
Refs task #27.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
enricobuehler
76dabef23d