ci: adopt reusable deploy workflow and move inventory to terraform/

[NWarila]

Summary

Adopt the framework reusable deploy workflow and align the runner inventory layout to it.

Changes

• Move the 20 public repo definitions repos/public/ -> terraform/public/ (pure renames) and update the deny-all .gitignore allowlist. The reusable overlays runner/terraform/{public,private}, so the inventory must live under terraform/.
• Replace the inline terraform.yml job with a caller of reusable-terraform-deploy.yaml@37602cb8, adding import-adoption (no create-conflicts) and a plan_only dry-run on pull requests.
• plan_only: github.event_name == pull_request -> PRs touching terraform/** get a no-apply plan preview; push to main / manual dispatch apply.
• Drop the skip_refresh toggle (phantom state cleared in Drop 5 declarations for repos that no longer exist (unblocks terraform plan) #23) and the hardcoded owner (derived from github_owner).

Safety

• State key unchanged: nwarila-platform/github-terraform-runner/terraform.tfstate.
• All 20 inventory YAMLs verified git-tracked at the new path (no empty-inventory / destroy-all risk).

[NWarila]

Closing: wrong approach. The canonical reusable (runner-protocol.md) uses an overlay_paths input (repos/public=>terraform/repos/public) to map the runner's existing layout, so moving the inventory to terraform/ is unnecessary; and credential-free PR plans use backend_mode: local, not a custom plan_only. The right path is to sync github-terraform-framework's reusable from NWarila/terraform-framework-template and adopt it per the documented protocol.