# Container registry pull secret — TEMPLATE.
#
# Do NOT apply this file directly. The actual secret is created
# imperatively so the Forgejo PAT never lands in git. Create it with:
#
#   kubectl create secret docker-registry guildhall-registry \
#     --docker-server=git.guildhouse.dev \
#     --docker-username=tking \
#     --docker-password='<PAT-with-package:read-scope>' \
#     --namespace=guildhall
#
# The PAT is generated at:
#   https://git.guildhouse.dev/-/user/settings/applications
# Required scope: `package:read` (or `package:write` if the same PAT
# will also be used for `docker push` from the build host — scoping
# read-only is preferable for cluster-resident credentials).
#
# If the `tking/guildhall` Forgejo package is made public, this secret
# is not required and `imagePullSecrets` can be omitted from the
# guildhall Deployment and Job. The Deployment manifests reference
# it unconditionally; switching to public packages means removing
# those references and deleting this secret.
#
# Shape reference (what `kubectl get secret -o yaml` would show):
#
# apiVersion: v1
# kind: Secret
# metadata:
#   name: guildhall-registry
#   namespace: guildhall
#   labels:
#     app.kubernetes.io/managed-by: manual
#     app.kubernetes.io/part-of: guildhouse
# type: kubernetes.io/dockerconfigjson
# data:
#   .dockerconfigjson: <base64-encoded {"auths":{"git.guildhouse.dev":{"auth":"<b64 user:pat>"}}}>