ci: add ansible-galaxy collection install to deploy workflows

Both deploy-on-merge.yml and deploy.yml install ansible via pip but
never install the required Galaxy collections (community.docker,
community.general, ansible.posix) from ansible/requirements.yml.

This works by accident because the pip ansible package bundles some
collections, but it's fragile — a pip upgrade or runner image change
could break deploys silently.

Fixes PESO-110

.github/workflows/deploy-on-merge.yml

@@ -38,6 +38,9 @@ jobs:
           wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
           sudo dpkg -i /tmp/sops.deb
 
+      - name: Install Ansible collections
+        run: ansible-galaxy install -r ansible/requirements.yml
+
       - name: Decrypt secrets
         env:
           SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}

.github/workflows/deploy.yml

@@ -48,6 +48,9 @@ jobs:
           wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
           sudo dpkg -i /tmp/sops.deb
 
+      - name: Install Ansible collections
+        run: ansible-galaxy install -r ansible/requirements.yml
+
       - name: Decrypt secrets
         env:
           SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}