fix: replace sand4rt/ftp-deployer with inline sshpass+sftp

The third-party ftp-deployer action is replaced with a plain run: step
using only standard Linux tools available on ubuntu-latest runners.

Behaviour is identical:
- SFTP upload (port 22) of nvme-cli-* files to /upload/ on the server
- No remote cleanup

Security improvements over the old action:
- No untrusted third-party code runs in the workflow
- Server host key verified against SFTP_HOST_KEY secret (no TOFU)
- All secrets passed as environment variables, never on the command line
- known_hosts written fresh each run (> not >>)
- Glob guarded with [ -f ] to handle no-match safely

A new SFTP_HOST_KEY repository secret must be added. Its value is the
output of: ssh-keyscan <SFTP_SERVER>

Co-authored-by: igaw <[email protected]>

Author: Copilot

.github/workflows/upload.yml

@@ -66,19 +66,23 @@ jobs:
           name: nvme-cli
           path: upload
 
-      - name: FTP Deployer
-        uses: sand4rt/ftp-deployer@518beaad91d1b18fd55a69321de7ed89080d2ae3 # v1.8
-        with:
-          sftp: true
-          host: ${{ secrets.SFTP_SERVER }}
-          port: 22
-          username: ${{ secrets.SFTP_USERNAME }}
-          password: ${{ secrets.SFTP_PASSWORD }}
-          remote_folder: '/upload'
-          local_folder: upload
-          cleanup: false
-          include: '[ "nvme-cli-*" ]'
-          exclude: '[".github/**", ".git/**", "*.env"]'
+      - name: upload to SFTP server
+        env:
+          SSHPASS: ${{ secrets.SFTP_PASSWORD }}
+          SFTP_USERNAME: ${{ secrets.SFTP_USERNAME }}
+          SFTP_SERVER: ${{ secrets.SFTP_SERVER }}
+          SFTP_HOST_KEY: ${{ secrets.SFTP_HOST_KEY }}
+        run: |
+          sudo apt-get install -y sshpass
+          mkdir -p ~/.ssh
+          echo "${SFTP_HOST_KEY}" > ~/.ssh/known_hosts
+          (
+            echo "cd /upload"
+            for f in upload/nvme-cli-*; do
+              [ -f "$f" ] || continue
+              echo "put $f $(basename "$f")"
+            done
+          ) | sshpass -e sftp -b - "${SFTP_USERNAME}@${SFTP_SERVER}"
 
   upload-release-assets:
     name: upload GitHub release assets