chore: align deploy workflow with inventory canonical

Brings nanodrop into parity with ~/inventory/.github/workflows/deploy.yml,
the cross-project canonical:

- Rename .github/workflows/deploy-homelab.yml -> deploy.yml
- Update workflow name to "Deploy to birb co. production"
- Add validate-secrets gate (SSH_PRIVATE_KEY, JWT_SECRET) using
  ${VAR:?msg} no-op expansion (does not echo secret values)
- Switch deploy heredoc from << 'EOF' (quoted) to << EOF (unquoted)
  to match canonical; functional no-op since the body contains no
  bash $VAR refs, only GitHub Actions ${{ ... }} interpolations
- Single-quote the right-hand side of interpolated export values to
  prevent shell-metacharacter re-interpretation server-side
- Reorder exports: secret first, then hardcoded literals, then vars
- Rename docker-compose.yml -> compose.yaml (pure rename) and update
  the workflow's compose invocations to reference compose.yaml
- Update one README example to match the new compose filename

The env-var block remains nanodrop-specific (JWT_SECRET +
TRUST_PROXY/COOKIE_SECURE literals + PORT/BASE_URL/MAX_FILE_SIZE);
that delta is allowed by the bug spec.

No app-code changes. Build and tests green.

Manual deploy verification (push to main / "Run workflow" -> hit the
deployed instance, log in, upload a test file, confirm share link)
is the user's job post-merge.

.github/workflows/deploy.yml

@@ -0,0 +1,56 @@
+name: "Deploy to birb co. production"
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+
+    - name: Validate required secrets
+      run: |
+        set -euo pipefail
+        : "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY secret must be set}"
+        : "${JWT_SECRET:?JWT_SECRET secret must be set}"
+      env:
+        SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+        JWT_SECRET: ${{ secrets.JWT_SECRET }}
+
+    - name: Set up SSH key
+      run: |
+        mkdir -p ~/.ssh
+        echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+        ssh-keyscan ${{ vars.HOST }} >> ~/.ssh/known_hosts
+
+    - name: Remove directory from server
+      run: |
+        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << 'EOF'
+          rm -rf ~/${{ vars.DIRECTORY_NAME }}
+        EOF
+
+    # Avoid needing to set up SSH access to GitHub for this user
+    - name: Transfer repository files to server
+      run: |
+        scp -i ~/.ssh/id_ed25519 -r ./* ${{ vars.USERNAME }}@${{ vars.HOST }}:~/${{ vars.DIRECTORY_NAME }}
+
+    - name: Deploy on server with Docker
+      run: |
+        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << EOF
+          cd ~/${{ vars.DIRECTORY_NAME }}
+          export JWT_SECRET='${{ secrets.JWT_SECRET }}'
+          export TRUST_PROXY=true
+          export COOKIE_SECURE=true
+          export PORT='${{ vars.PORT }}'
+          export BASE_URL='${{ vars.BASE_URL }}'
+          export MAX_FILE_SIZE='${{ vars.MAX_FILE_SIZE }}'
+          docker compose -f compose.yaml down
+          docker compose -f compose.yaml up -d --build
+        EOF