fix: ensure SSH key cleanup on failure in CD workflow

.gitea/workflows/cd.yml

@@ -32,6 +32,8 @@ jobs:
 
       - name: Update infra repo
         run: |
+          set -e
+          trap 'rm -rf /tmp/infra-update; rm -f ~/.ssh/infra_deploy_key' EXIT
           IMAGE_TAG="${{ github.sha }}"
           mkdir -p ~/.ssh
           echo "${{ secrets.INFRA_DEPLOY_KEY }}" > ~/.ssh/infra_deploy_key
@@ -52,6 +54,4 @@ jobs:
           GIT_SSH_COMMAND="ssh -i ~/.ssh/infra_deploy_key -o IdentitiesOnly=yes" \
             git push
 
-          rm -rf /tmp/infra-update
-          rm ~/.ssh/infra_deploy_key
           echo "Infra repo updated: ${SERVICE} → ${IMAGE_TAG}"