CI: auto-deploy to VPS on push to main

After the build check passes, SSH to the VPS with a forced-command key
(can only run deploy.sh) which pulls main, builds, and rsyncs dist/ to
public_html. Replaces the manual `ssh myvps ... deploy.sh` step.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -25,3 +25,24 @@ jobs:
 
       - name: Build
         run: bun run build
+
+  deploy:
+    # Auto-deploy to the VPS (avria.cloud) on every push to main.
+    # The SSH key is restricted on the server (forced command): it can only
+    # run /home/avria/deploy.sh, which pulls main, builds, and rsyncs
+    # dist/ -> public_html. The command string below is therefore ignored
+    # by the server but kept descriptive.
+    needs: build
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to VPS
+        run: |
+          mkdir -p ~/.ssh
+          printf '%s\n' "$VPS_DEPLOY_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          printf '%s\n' "$VPS_HOST_KEY" > ~/.ssh/known_hosts
+          ssh -i ~/.ssh/deploy_key -o IdentitiesOnly=yes avria@2.25.155.250 "deploy main"
+        env:
+          VPS_DEPLOY_KEY: ${{ secrets.VPS_DEPLOY_KEY }}
+          VPS_HOST_KEY: ${{ secrets.VPS_HOST_KEY }}