Ensure deploy workflow depends on all checks passing

[braboj]

What

The deploy workflow should not run unless all quality checks and the build pass. Review the current pipeline order and ensure correct dependencies:

1. Checks (lint, CodeQL, Lighthouse) + Build must pass
2. Only then deploy

Why

Currently deploy may trigger independently of checks. A failed security scan or broken accessibility score should block deployment.

Tasks

• Review current deploy.yml triggers and dependencies
• Add needs: dependencies or branch protection rules so deploy is gated on all checks
• Consider consolidating checks → build → deploy into a single pipeline or using branch protection required status checks