offinfra-onboard: per-repo GHA->ghcr migration tool + f1-stream ghcr pull secret

ADR-0002 tracer bullet (infra#13), per Viktor's go-ahead. Idempotent
script: GitHub mirror repo (create/unarchive/visibility), GHA secrets
via gh, Forgejo push-mirror (sync_on_commit) + initial sync, Woodpecker
mirror registration, renders build.yml/deploy.yml from templates
(single-manifest provenance:false, svu semver to Forgejo, ghcr keep-10
retention, Slack notify-failure, manual-event deploy), removes the old
in-cluster build pipeline, commits on the Canonical side. f1-stream
stack gains the ghcr-credentials imagePullSecret (first consumer).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

scripts/offinfra-templates/deploy.yml.tmpl

@@ -0,0 +1,19 @@
+# Auto-deploy, triggered ONLY by the GitHub Actions build POSTing to the
+# Woodpecker API (manual event, with IMAGE_TAG + IMAGE_NAME) after a successful
+# off-infra build+push to GHCR (ADR-0002). event:[manual] (NOT push) so the
+# Forgejo->GitHub mirror's raw pushes don't fire a spurious deploy.
+# The woodpecker-agent SA is cluster-admin — no kubeconfig needed.
+# Generated by infra/scripts/offinfra-onboard.
+when:
+  - event: manual
+
+steps:
+  - name: check-vars
+    image: alpine
+    commands:
+      - "[ -n \"$IMAGE_TAG\" ] || (echo 'IMAGE_TAG not set — refusing to deploy'; exit 1)"
+
+  - name: deploy
+    image: bitnami/kubectl:latest
+    commands:
+{{DEPLOY_CMDS}}