[ci skip] phase 5+6: update CI pipelines for SOPS, add sensitive=true to secret vars

Phase 5 — CI pipelines:
- default.yml: add SOPS decrypt in prepare step, change git add . to
  specific paths (stacks/ state/ .woodpecker/), cleanup on success+failure
- renew-tls.yml: change git add . to git add secrets/ state/

Phase 6 — sensitive=true:
- Add sensitive = true to 256 variable declarations across 149 stack files
- Prevents secret values from appearing in terraform plan output
- Does NOT modify shared modules (ingress_factory, nfs_volume) to avoid
  breaking module interface contracts

Note: CI pipeline SOPS decryption requires sops_age_key Woodpecker secret
to be created before the pipeline will work with SOPS. Until then, the old
terraform.tfvars path continues to function.

stacks/hackmd/main.tf

@@ -1,5 +1,11 @@
-variable "hackmd_db_password" { type = string }
-variable "tls_secret_name" { type = string }
+variable "hackmd_db_password" {
+  type = string
+  sensitive = true
+}
+variable "tls_secret_name" {
+  type = string
+  sensitive = true
+}
 variable "nfs_server" { type = string }
 variable "mysql_host" { type = string }
 

stacks/hackmd/providers.tf

@@ -2,6 +2,7 @@
 variable "kube_config_path" {
   type    = string
   default = "~/.kube/config"
+  sensitive = true
 }
 
 provider "kubernetes" {