Original workflow ran 'docker build + docker run trivy' inside the
Gitea Actions runner — but that container has no docker CLI ('docker:
command not found'). Move both build and scan into the same SSH
session as deploy, where docker is available natively. Mirrors how
anotherreflections-website-v2 does it (single SSH session with
build → scan → up -d → health → prune).