ci(deploy): harden deploy-obs config step with set -euo pipefail

A failed cp/mkdir in the deploy-configs step was previously swallowed (the step
had no set -e), so a broken config copy could still reach the validate step. The
five-key guard catches empty secrets but not a failed copy. -u also catches a
typo'd env var name. Raised in review (Sara, Tobias).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/actions/deploy-obs/action.yml

@@ -53,6 +53,7 @@ runs:
         POSTGRES_PASSWORD: ${{ inputs.postgres_password }}
         POSTGRES_HOST: ${{ inputs.postgres_host }}
       run: |
+        set -euo pipefail
         rm -rf /opt/familienarchiv/infra/observability
         mkdir -p /opt/familienarchiv/infra/observability
         cp -r infra/observability/. /opt/familienarchiv/infra/observability/