Seal remaining Gitea secrets: API token, runner token, pull secret

All placeholder secrets replaced with real sealed values:
- argocd-gitea-token: API token for ArgoCD PR generator
- gitea-runner-token: registration token for in-cluster runner
- gitea-pull-secret: registry credentials for app image pulls

apps/api/k8s/base/gitea-pull-secret-sealed.yaml

@@ -1,11 +1,3 @@
-# PLACEHOLDER: Re-seal with Gitea registry credentials
-# kubectl create secret docker-registry gitea-pull-secret \
-#   --namespace apps \
-#   --docker-server=gitea.coreworlds.io \
-#   --docker-username=lazorgurl \
-#   --docker-password=<token> \
-#   --dry-run=client -o yaml | kubeseal --format yaml \
-#     --controller-namespace kube-system --controller-name sealed-secrets-helm
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -14,7 +6,7 @@ metadata:
   namespace: apps
 spec:
   encryptedData:
-    .dockerconfigjson: PLACEHOLDER_SEAL_ME
+    .dockerconfigjson: AgCMSSXv3CHy2MKH1kZFyMAe6wd5paliMm27DxO2ASjX+UVWCIybUf+dm3CINIwx9BpgmmP+XOvJ+J7uMEXYiLB6sq6SpeiTvk0K02cm7i70vlAi6InjTPeqnUVKOB/XIGruS4+VttcnqXHZupzbHZJDha3Z4/t0GONvmXrG98pGTR/aSSxMRcZpQRmSylmAZ8m5Tm9VOlwgvlok643S1O/AbZWPs5gpLstfQB9ejUvVFJADVLZX3hXvlp56ksDLPw+7tVr4OFt1YmVbsQBrss50nYmHapB4LMQvtKkMPF8Gm1YOlDHa+sNKvQb2ikaIbUikHbDXXs4rEF1utzSena4YDtb7c/as0im0REkPblB+avxTTXm5ygR3gqaty+D29Iplx6n3cD06gorv4rced+wrrvEu4kzvJpRlcF2a/EkwFTtY3qHfH9m1E6uyJ2U4QoklAvR7lOQBWpdS7h2gq2cerGC/N3LM3z6DHZOHIr+HtmhxugaoyWgblWya4BXtIa3z6ws/l1S3OFu0cuKUA4D3jVcM/Zr4tPjjA4p9HhclcJ9RyOgZoZn+emwmuNnMTO8dRtRzv3F4kjKh3h+wWY3CYmQADLaykIWjIjz2VqHvvruNMm8iKdEcG6VrT8kWeZBdc65ozcbLouzoj/OKe8rgLPrEEN2NsNxe/cQSQI6W81Uc4N7K20qL/0kmF8sl/rsOZwRjVHXvVAZn1mfoukqEyLHoTNh6rjnWp1Po8gcCdxz4RImEFbbOUYxTpYhVf0FHGeuYA92fLvezAyrsd9UatJf9lYj/NH9IX7Ek0isvWcxvEdQ9bf6TeGiU3is+gxj8VXog1K0q71zFEGP3Gtx4R1uP75+ZbLHWlM0GhyeduvqBqBLtDbXZHeif9p/PTDVkdzcuZGJcvNwh/pwrsFD6klCHyNMXeizDWM+O7LM2AVfaw+kmMUoYPqeNHmMX
   template:
     metadata:
       name: gitea-pull-secret

apps/web/k8s/base/gitea-pull-secret-sealed.yaml

@@ -1,11 +1,3 @@
-# PLACEHOLDER: Re-seal with Gitea registry credentials
-# kubectl create secret docker-registry gitea-pull-secret \
-#   --namespace apps \
-#   --docker-server=gitea.coreworlds.io \
-#   --docker-username=lazorgurl \
-#   --docker-password=<token> \
-#   --dry-run=client -o yaml | kubeseal --format yaml \
-#     --controller-namespace kube-system --controller-name sealed-secrets-helm
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
@@ -14,7 +6,7 @@ metadata:
   namespace: apps
 spec:
   encryptedData:
-    .dockerconfigjson: PLACEHOLDER_SEAL_ME
+    .dockerconfigjson: AgCMSSXv3CHy2MKH1kZFyMAe6wd5paliMm27DxO2ASjX+UVWCIybUf+dm3CINIwx9BpgmmP+XOvJ+J7uMEXYiLB6sq6SpeiTvk0K02cm7i70vlAi6InjTPeqnUVKOB/XIGruS4+VttcnqXHZupzbHZJDha3Z4/t0GONvmXrG98pGTR/aSSxMRcZpQRmSylmAZ8m5Tm9VOlwgvlok643S1O/AbZWPs5gpLstfQB9ejUvVFJADVLZX3hXvlp56ksDLPw+7tVr4OFt1YmVbsQBrss50nYmHapB4LMQvtKkMPF8Gm1YOlDHa+sNKvQb2ikaIbUikHbDXXs4rEF1utzSena4YDtb7c/as0im0REkPblB+avxTTXm5ygR3gqaty+D29Iplx6n3cD06gorv4rced+wrrvEu4kzvJpRlcF2a/EkwFTtY3qHfH9m1E6uyJ2U4QoklAvR7lOQBWpdS7h2gq2cerGC/N3LM3z6DHZOHIr+HtmhxugaoyWgblWya4BXtIa3z6ws/l1S3OFu0cuKUA4D3jVcM/Zr4tPjjA4p9HhclcJ9RyOgZoZn+emwmuNnMTO8dRtRzv3F4kjKh3h+wWY3CYmQADLaykIWjIjz2VqHvvruNMm8iKdEcG6VrT8kWeZBdc65ozcbLouzoj/OKe8rgLPrEEN2NsNxe/cQSQI6W81Uc4N7K20qL/0kmF8sl/rsOZwRjVHXvVAZn1mfoukqEyLHoTNh6rjnWp1Po8gcCdxz4RImEFbbOUYxTpYhVf0FHGeuYA92fLvezAyrsd9UatJf9lYj/NH9IX7Ek0isvWcxvEdQ9bf6TeGiU3is+gxj8VXog1K0q71zFEGP3Gtx4R1uP75+ZbLHWlM0GhyeduvqBqBLtDbXZHeif9p/PTDVkdzcuZGJcvNwh/pwrsFD6klCHyNMXeizDWM+O7LM2AVfaw+kmMUoYPqeNHmMX
   template:
     metadata:
       name: gitea-pull-secret