I might just be misunderstanding something but...

You run ssh-keyscan on the host and save the results to the known_hosts file, but you're telling git to not run strict host checking, and you override the known hosts file location to /dev/null/.

Can you remove the keyscan part? Or does that break things?

Or is it better to turn the host checking back on?

It feels like you don't get much protection from the keyscan in this case because you're running the keyscan immediately before connecting to the host. So of course the host key hasn't changed!

Maybe the results of the keyscan could be added as an optional secret? So we can keyscan when we set up the action and if the host key changes at some point in the future the deploy would fail.

@WilliamMayor thank you for your research! I think you can create new pull request with improvements 👨🏻‍💻

@WilliamMayor thank you! Good work!