fix: Deploy without sudo mv (write env directly)

.gitea/workflows/deploy.yml

@@ -118,16 +118,13 @@ jobs:
           rsync -az \
             -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=yes" \
             ./backend.env \
-            "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:/tmp/pounce-backend.env"
+            "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:/data/pounce/env/backend.env"
 
       - name: Deploy on server (pounce-deploy)
         run: |
           ssh -i ~/.ssh/deploy_key "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}" << 'DEPLOY_EOF'
           set -euo pipefail
-          mkdir -p /data/pounce/env
-          # Move env file into place (requires no password due to sudoers rule)
-          sudo mv /tmp/pounce-backend.env /data/pounce/env/backend.env
-          sudo chmod 600 /data/pounce/env/backend.env
+          chmod 600 /data/pounce/env/backend.env
           sudo /usr/local/bin/pounce-deploy
           DEPLOY_EOF