fix: move PG_USER/PG_PASSWORD before DB_URL in logto.yaml

K8s $(VAR) substitution only resolves env vars defined earlier in the
list. PG_USER and PG_PASSWORD must come before DB_URL.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/logto.yaml

@@ -119,6 +119,16 @@ spec:
           env:
             - name: TRUST_PROXY_HEADER
               value: "1"
+            - name: PG_USER
+              valueFrom:
+                secretKeyRef:
+                  name: logto-credentials
+                  key: PG_USER
+            - name: PG_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: logto-credentials
+                  key: PG_PASSWORD
             - name: DB_URL
               value: "postgresql://$(PG_USER):$(PG_PASSWORD)@logto-postgresql:5432/logto"
             - name: ENDPOINT
@@ -131,16 +141,6 @@ spec:
                 secretKeyRef:
                   name: logto-credentials
                   key: ADMIN_ENDPOINT
-            - name: PG_USER
-              valueFrom:
-                secretKeyRef:
-                  name: logto-credentials
-                  key: PG_USER
-            - name: PG_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: logto-credentials
-                  key: PG_PASSWORD
           resources:
             requests:
               memory: "256Mi"