ci: restore environment scoping, add secret validation step

Add explicit check that DATABASE_URL is set before running migrations.
Restore environment: production for migrate and deploy jobs.

Author: richiemcilroy

.github/workflows/deploy-api.yml

@@ -60,6 +60,7 @@ jobs:
     needs: check
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    environment: production
     steps:
       - uses: actions/checkout@v4
 
@@ -69,6 +70,16 @@ jobs:
 
       - run: bun install --frozen-lockfile
 
+      - name: Validate secrets
+        run: |
+          if [ -z "$DATABASE_URL" ]; then
+            echo "::error::DATABASE_URL secret is not set. Add it to repo Settings → Secrets or the 'production' environment."
+            exit 1
+          fi
+          echo "DATABASE_URL is set (${#DATABASE_URL} chars)"
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+
       - name: Run database migrations
         run: bun run db:migrate:run
         env:
@@ -79,6 +90,7 @@ jobs:
     needs: migrate
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    environment: production
     steps:
       - uses: actions/checkout@v4