ci: harden site deployment with Supabase support

[kanjiz1]

Summary

• Runs the existing Vercel deploy hook on release, qualifying main pushes, and manual dispatch with explicit missing-secret and curl failure handling.
• Keeps GitHub Pages deployment for push/manual runs, but skips it on release events so release-triggered Vercel deployments do not fail because of Pages.
• Moves workflow permissions to the jobs that need them.
• Adds an optional Supabase migration step in the deploy workflow, gated by SUPABASE_MIGRATIONS_ENABLED=true, guarded to refs/heads/main, and ordered before the Vercel hook.
• Adds a Supabase directory skeleton plus deployment documentation for required Vercel/Supabase secrets.

Validation

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/deploy-site.yml")'
• python3/tomllib parse of supabase/config.toml
• git diff --cached --check
• go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/deploy-site.yml
• Staged-file secret-pattern scan found no concrete Vercel hook URLs, Supabase keys, JWTs, or project URLs.
• npm ci --no-audit --prefix website
• npm run build --prefix website succeeded; existing Docusaurus warnings remain for pre-existing docs links/anchors.

Deployment notes

Secrets/variables still need to be configured after merge before deployment is fully operational:

• GitHub secret: VERCEL_DEPLOY_HOOK
• Vercel project env: SUPABASE_URL, SUPABASE_PUBLISHABLE_KEY or legacy SUPABASE_ANON_KEY; server-only SUPABASE_SECRET_KEY or legacy SUPABASE_SERVICE_ROLE_KEY only if backend code needs elevated server access.
• GitHub secrets for migrations: SUPABASE_ACCESS_TOKEN, SUPABASE_PROJECT_ID, SUPABASE_DB_PASSWORD
• GitHub variable to enable migrations after review: SUPABASE_MIGRATIONS_ENABLED=true
• Optional GitHub variable: SUPABASE_CLI_VERSION