chore: align deploy workflow with inventory canonical

Brings nanodrop into parity with ~/inventory/.github/workflows/deploy.yml,
the cross-project canonical:

- Rename .github/workflows/deploy-homelab.yml -> deploy.yml
- Update workflow name to "Deploy to birb co. production"
- Add validate-secrets gate (SSH_PRIVATE_KEY, JWT_SECRET) using
  ${VAR:?msg} no-op expansion (does not echo secret values)
- Switch deploy heredoc from << 'EOF' (quoted) to << EOF (unquoted)
  to match canonical; functional no-op since the body contains no
  bash $VAR refs, only GitHub Actions ${{ ... }} interpolations
- Single-quote the right-hand side of interpolated export values to
  prevent shell-metacharacter re-interpretation server-side
- Reorder exports: secret first, then hardcoded literals, then vars
- Rename docker-compose.yml -> compose.yaml (pure rename) and update
  the workflow's compose invocations to reference compose.yaml
- Update one README example to match the new compose filename

The env-var block remains nanodrop-specific (JWT_SECRET +
TRUST_PROXY/COOKIE_SECURE literals + PORT/BASE_URL/MAX_FILE_SIZE);
that delta is allowed by the bug spec.

No app-code changes. Build and tests green.

Manual deploy verification (push to main / "Run workflow" -> hit the
deployed instance, log in, upload a test file, confirm share link)
is the user's job post-merge.

.github/workflows/deploy.yml

@@ -1,4 +1,4 @@
-name: "Deploy to Homelab"
+name: "Deploy to birb co. production"
 
 on:
   push:
@@ -14,6 +14,15 @@ jobs:
     - name: Check out repository
       uses: actions/checkout@v3
 
+    - name: Validate required secrets
+      run: |
+        set -euo pipefail
+        : "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY secret must be set}"
+        : "${JWT_SECRET:?JWT_SECRET secret must be set}"
+      env:
+        SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+        JWT_SECRET: ${{ secrets.JWT_SECRET }}
+
     - name: Set up SSH key
       run: |
         mkdir -p ~/.ssh
@@ -34,15 +43,14 @@ jobs:
 
     - name: Deploy on server with Docker
       run: |
-        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << 'EOF'
+        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << EOF
           cd ~/${{ vars.DIRECTORY_NAME }}
+          export JWT_SECRET='${{ secrets.JWT_SECRET }}'
           export TRUST_PROXY=true
           export COOKIE_SECURE=true
-          export JWT_SECRET=${{ secrets.JWT_SECRET }}
-          export PORT=${{ vars.PORT }}
-          export BASE_URL=${{ vars.BASE_URL }}
-          export MAX_FILE_SIZE=${{ vars.MAX_FILE_SIZE }}
-          docker compose -f docker-compose.yml down
-          docker compose -f docker-compose.yml up -d --build
+          export PORT='${{ vars.PORT }}'
+          export BASE_URL='${{ vars.BASE_URL }}'
+          export MAX_FILE_SIZE='${{ vars.MAX_FILE_SIZE }}'
+          docker compose -f compose.yaml down
+          docker compose -f compose.yaml up -d --build
         EOF
-

README.md

@@ -144,7 +144,7 @@ bantime  = 600
 Adjust `logpath` to wherever your `LOG_FILE` is. With Docker, the log file lives inside the `nanodrop-data` volume — mount it to a host path or bind-mount a host directory instead of the named volume to make it accessible to fail2ban:
 
 ```yaml
-# docker-compose.yml override
+# compose.yaml override
 volumes:
   - /var/lib/nanodrop:/app/data
 ```