fix(deploy): drop bash-source of .env.macmini in migration-step

Same fix as commit 97e285bc6 (backup-script): `. "$ENV_FILE"` breaks
on DOTENV values with unquoted whitespace — `MANA_AI_PUBLIC_KEY_PEM`
contains `-----BEGIN PUBLIC KEY-----…`, bash parses "PUBLIC" as the
next command and fails with `PUBLIC: command not found`.

Replaced the full bash-source with a targeted grep for the only env
var the migration step actually needs (POSTGRES_PASSWORD).

Quotes (single/double) around the value are stripped if present.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/cd-macmini.yml

@@ -339,12 +339,17 @@ jobs:
           # If a service has no Drizzle config or no schema diff this is
           # a fast no-op. We must source POSTGRES_PASSWORD from the env
           # file because the workflow env doesn't carry it.
+          #
+          # `. "$ENV_FILE"` (bash source) breaks on DOTENV-Werte, die
+          # ungequotete Leerzeichen enthalten — z.B. `MANA_AI_PUBLIC_KEY_PEM`
+          # mit `-----BEGIN PUBLIC KEY-----…`: bash interpretiert "PUBLIC"
+          # als nächstes Command und scheitert mit `PUBLIC: command not
+          # found`. Backup-Script hat dasselbe Problem (Commit 97e285bc6).
+          # Wir lesen daher gezielt nur die benötigten Variablen via grep
+          # statt die ganze Datei als Shell-Script zu sourcen.
           echo "=== Applying schema migrations ==="
-          set -a
+          PG_PASSWORD=$(grep -E '^POSTGRES_PASSWORD=' "$ENV_FILE" | head -1 | cut -d= -f2- | sed 's/^"\(.*\)"$/\1/; s/^'"'"'\(.*\)'"'"'$/\1/')
-          # shellcheck source=/dev/null
+          PG_PASSWORD="${PG_PASSWORD:-mana123}"
-          . "$ENV_FILE"
-          set +a
-          PG_PASSWORD="${POSTGRES_PASSWORD:-mana123}"
 
           # `drizzle-kit` reads `drizzle.config.ts`, which itself
           # `import {defineConfig} from 'drizzle-kit'`. Node's resolver