fix(deploy): harden runtime config and migrations

.github/workflows/cd.yml

@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: check-secrets
     timeout-minutes: 30
-    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' }}
+    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' }}
     env:
       GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
       ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
@@ -90,7 +90,6 @@ jobs:
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
       - name: Run database migrations
-        if: ${{ needs.check-secrets.outputs.db_secret_ok == 'true' }}
         env:
           DATABASE_URL: ${{ secrets.DATABASE_URL }}
         run: bun run db:migrate
@@ -186,6 +185,18 @@ jobs:
       - name: Print configuration hint
         run: |
           echo "CD skipped: configure required GitHub secrets."
-          echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT"
-          echo "Optional for auto-migrations: DATABASE_URL"
+          echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT, DATABASE_URL"
           echo "Optional repo/service vars: GCP_REGION, ARTIFACT_REPOSITORY, CLOUD_RUN_SERVICE_BOT, CLOUD_RUN_SERVICE_MINI"
+
+  deploy-blocked-db:
+    name: Deploy blocked (missing DATABASE_URL)
+    runs-on: ubuntu-latest
+    needs: check-secrets
+    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok != 'true' }}
+
+    steps:
+      - name: Fail fast on missing DATABASE_URL
+        run: |
+          echo "CD blocked: DATABASE_URL GitHub secret is required."
+          echo "This workflow now refuses to deploy without running migrations against the target database."
+          exit 1