diff --git a/stacks/job-hunter/cronjob.tf b/stacks/job-hunter/cronjob.tf
index 968266b5..aa7009d0 100644
--- a/stacks/job-hunter/cronjob.tf
+++ b/stacks/job-hunter/cronjob.tf
@@ -40,6 +40,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_refresh" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
 
             init_container {
               name              = "alembic-migrate"
@@ -147,6 +152,11 @@ resource "kubernetes_cron_job_v1" "job_hunter_alert" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+            # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name              = "alert"
               image             = local.image
diff --git a/stacks/job-hunter/main.tf b/stacks/job-hunter/main.tf
index 8b84dfe5..da256229 100644
--- a/stacks/job-hunter/main.tf
+++ b/stacks/job-hunter/main.tf
@@ -175,6 +175,11 @@ resource "kubernetes_deployment" "job_hunter" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        # Private ghcr image (ADR-0002 off-infra builds) — cloned into this
+        # namespace by the kyverno sync-ghcr-credentials allowlist policy.
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         init_container {
           name    = "alembic-migrate"