Removes all ghcr.io and registry dependencies. Workflows now build
images locally, import them into k3d, and deploy with kubectl set image
— all on the self-hosted runner which already has Docker and kubectl.
Also removes the github Terraform provider and ci.tf since no registry
pull secrets or GitHub Actions secrets are needed.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds github provider + ci.tf which provisions:
- KUBECONFIG GitHub Actions secret (from local kubeconfig)
- ghcr-credentials k8s pull secret in finance and auth namespaces
Run `terraform apply -var github_token=<PAT>` once after cluster setup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
