fix: three deploy failures from run #1424 (#369)

## Summary

Fixes three distinct failures from CI deploy run #1424 and concurrent website update failures.

- **Play Store job**: `pip install google-auth requests` fails on Ubuntu 24.04 with PEP 668. Fixed by using `python3 -m venv` for an isolated install.
- **SSH key error (APK, Linux, website jobs)**: All SSH/rsync steps fail with `Load key "/root/.ssh/id_ed25519": error in libcrypto` inside the Dagger Alpine 3.21 container. This is the first time these jobs actually ran (all previous deploy runs had every job skipped). Two fixes:
  - `setup_dagger_remote.sh`: `export_secret` was appending an extra trailing newline to values (like SSH private keys) that already end with `\n`. Now only adds one when needed.
  - `ci/main.go` `Deployer`: mounts the key at a `.raw` path, strips Windows-style CRLF endings with `tr -d '\r'`, then writes the normalised key to `id_ed25519`. CRLF bytes cause "error in libcrypto" in Alpine's LibreSSL-backed openssh.

## Test plan
- [ ] Deploy run triggers after merge; all three deploy jobs complete
- [ ] Play Store verification step passes
- [ ] SSH commands in Alpine load the key without `error in libcrypto`

Closes #366

Co-authored-by: Thomas SharedInbox <sharedinbox@thomas-guettler.de>
Reviewed-on: https://codeberg.org/guettli/sharedinbox/pulls/369

.forgejo/workflows/deploy.yml

@@ -162,8 +162,9 @@ jobs:
 
       - name: Verify Play Store deployment
         run: |
-          pip install google-auth requests --quiet 2>&1 | grep -v "already satisfied" || true
+          python3 -m venv /tmp/playstore-venv
-          python3 scripts/verify_playstore_deploy.py
+          /tmp/playstore-venv/bin/pip install google-auth requests --quiet
+          /tmp/playstore-venv/bin/python3 scripts/verify_playstore_deploy.py
 
 
   deploy-apk:

ci/main.go

@@ -338,7 +338,12 @@ func (m *Ci) Deployer(sshKey *dagger.Secret, knownHosts *dagger.Secret) *dagger.
 	return dag.Container().
 		From("alpine:3.21").
 		WithExec([]string{"apk", "--no-cache", "add", "rsync", "openssh-client", "python3", "tar"}).
-		WithMountedSecret("/root/.ssh/id_ed25519", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
+		// Mount at a raw path so we can normalise before use: strip any CRLF line
+		// endings that appear when the key is stored or exported on Windows, which
+		// cause "error in libcrypto" in Alpine's LibreSSL-backed openssh.
+		WithMountedSecret("/root/.ssh/id_ed25519.raw", sshKey, dagger.ContainerWithMountedSecretOpts{Mode: 0600}).
+		WithExec([]string{"sh", "-c",
+			"tr -d '\\r' < /root/.ssh/id_ed25519.raw > /root/.ssh/id_ed25519 && chmod 600 /root/.ssh/id_ed25519"}).
 		WithMountedSecret("/root/.ssh/known_hosts", knownHosts, dagger.ContainerWithMountedSecretOpts{Mode: 0644}).
 		WithEnvVariable("RSYNC_RSH", "ssh -i /root/.ssh/id_ed25519")
 }

scripts/setup_dagger_remote.sh

@@ -23,10 +23,13 @@ export_secret() {
     local value
     value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
     if [ -n "${GITHUB_ENV:-}" ]; then
-        # Use heredoc syntax for multiline-safe export
+        # Use heredoc syntax for multiline-safe export.
+        # Avoid adding a second trailing newline for values that already end with one
+        # (e.g. SSH private keys), which can corrupt PEM parsing.
         {
             printf '%s<<__EOF__\n' "$name"
-            printf '%s\n' "$value"
+            printf '%s' "$value"
+            [ "${value%$'\n'}" = "$value" ] && printf '\n'
             printf '__EOF__\n'
         } >> "$GITHUB_ENV"
     fi