git

How can you do without passwords for git, ssh under Gulp?

DD. I’ll say in advance that maybe I chose the wrong tool, but for now I want to get by with what we already use.
I did the following thing for deployment on Gulp:

'use strict';
var gulp = require('gulp'),
    // ...
    fs = require('fs'),
    expandTilde = require('expand-tilde'),
    GulpSSH = require('gulp-ssh'),
    config = require('./gulp-config.json');

//...

// deploy
var gulpSSH = new GulpSSH({
    ignoreErrors: false,
    sshConfig: {
        host: 'host',
        port: 'port',
        username: 'username',
        privateKey: fs.readFileSync(expandTilde('~/.ssh/id_rsa')),
        passphrase: config.ssh.passphrase
    }
});

gulp.task('deploy', function () {
    return gulpSSH
        .shell([
            // пробелы перед командами, чтоб в историю не записывал на сервере
            ' cd /var/www/webiste',
            ' git pull https://' + config.git.username + ':' + config.git.password + '@bitbucket.org/username/project.git',
            ' composer install --prefer-dist --no-scripts --quiet',
            ' composer dump-autoload --optimize --no-dev --quiet',
            // ' php yii migrate', // todo: test!
            ' npm install',
            ' npm run prod'
        ], {filePath: 'deploy.log'})
        .pipe(gulp.dest('./gulp'))
});

./gulp-config.json

{
  "ssh": {
    "passphrase": "Пароль от ssh ключа"
  },
  "git": {
    "username": "Логин битбакета",
    "password": "Пароль битбакета"
  }
}

In fact, everything works, but passwords shine in the window and in the logs.
1. The problem is in the password from the ssh key (passphrase), I tried everything, but without it it does not want to work at least under MacOS, throws an error:
"Error: Encrypted private key detected, but no passphrase given"
yes, the gulp-config.json file in ignore and do not send to turnips, but still store the password in clear text?
2. Login and password from the central turnip.
Of course, you can make a key for the server and pull it from the bitbucket, but it’s more convenient to leave everything on a bunch of login and password. Here I see two ways:
- somehow transfer the git'a request for a login and password to the user, and he will already indicate himself (now everyone indicates their own)
- somehow can set up "ForwardAgent yes" for SSH, so that you can use it on the production / test server, and then somehow transfer the key to git . those. git pull on the server will use the key of the user who logged in and ran the command.
If there are any other ideas, comments on the code, I will be glad to listen.
Thanks in advance.