a newly provisioned host cannot be updated by the continuous deployment system

Continuous deployment works by logging in as the deployment user using the ssh private key (the "deploy key"). A newly provisioned host will not have this user or an authorized keys file properly configured to respect this key.

It is much more likely that a newly provisioned system will allow login as root using some other key. It would be handy if the continuous deployment system detected this condition and fell back to driving a deployment using those credentials instead. After one update, deployment should exist and be properly configured so the root credentials could be updated somehow at that point if desired.