fix(ci): use SCP credentials file for docker auth on SSH deploy

.gitea/workflows/deploy.yml

@@ -558,15 +558,19 @@ jobs:
           TOKEN="$VALID_TOKEN"
 
           DB_CONTAINER="${{ needs.prepare.outputs.project_name }}-postgres-db-1"
-          ssh root@alpha.mintel.me bash <<DEPLOYEOF
-          set -e
-          docker network create '${{ needs.prepare.outputs.project_name }}-internal' || true
-          docker volume create 'mintel-me_payload-db-data' || true
-          echo '$TOKEN' | docker login git.infra.mintel.me -u '$VALID_USER' --password-stdin
-          cd $SITE_DIR
-          docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull
-          docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans
-          DEPLOYEOF
+          # Write docker credentials to a temp file locally, scp to remote, use it for docker auth
+          B64_AUTH=$(printf '%s:%s' "$VALID_USER" "$TOKEN" | base64 -w 0)
+          printf '{"auths":{"git.infra.mintel.me":{"auth":"%s"}}}' "$B64_AUTH" > /tmp/docker_creds.json
+          scp /tmp/docker_creds.json root@alpha.mintel.me:/tmp/docker_creds.json
+          rm /tmp/docker_creds.json
+          ssh root@alpha.mintel.me "
+            mkdir -p ~/.docker && cp /tmp/docker_creds.json ~/.docker/config.json && rm /tmp/docker_creds.json
+            docker network create '${{ needs.prepare.outputs.project_name }}-internal' || true
+            docker volume create 'mintel-me_payload-db-data' || true
+            cd $SITE_DIR
+            docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull
+            docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans
+          "
 
       - name: 🧹 Post-Deploy Cleanup (Runner)
         if: always()