How to allow GitHub Actions SSH access to a VM with restricted firewall on port 22?

GitHub Actions publish their IP ranges via an API. You would need to scrape this and auto-configure your firewall.

curl -s https://api.github.com/meta | jq -r '.actions[]'

NOTE: There are both IPv4 and IPv6 ranges.

Alternatively, you could switch to a pull model of deployment from you SSH push model. You could publish your deployment artifacts as a release on the repo. Then you could setup a webhook from GitHub on your VM to listen for repo events such as release published, pull and deploy your artifacts to the VM.

You could publish you image to GitHub Container registry as well and then deploy that image on event.

You can also periodically check the Container registry from the VM looking for new version and then deploy.