ci: wire WOODPECKER_SECRET + registry auth for tier-1 — sprint-2

[heraldstack]

context

sprint-1 closed with tier-1.yml running as an unauthenticated pilot (PR #50). the fc_pool_ci_token from_secret blocks were intentionally removed for the pilot run.

sprint-2 scope: restore auth wiring so woodpecker-fc-plugin can authenticate against fc-pool's authenticated endpoint.

work items

• register fc_pool_ci_token as a woodpecker secret in the heraldstack woodpecker server (via woodpecker web ui or api)
• restore FC_POOL_CI_TOKEN: from_secret: fc_pool_ci_token to all four steps in .woodpecker/tier-1.yml (fmt, clippy, build, test)
• validate fc-pool policy accepts authenticated requests from woodpecker-fc-plugin
• confirm registry auth pattern for heraldstack/woodpecker-fc-plugin:0.1.0 pull (currently pull_policy: if-not-present masks registry auth requirement)
• update woodpecker server WOODPECKER_SECRET env var in heraldstack-infra docker-compose if not already set

acceptance criteria

• all four tier-1 steps run successfully against fc-pool authenticated endpoint
• woodpecker pipeline shows green on a real push to this repo
• no unauthenticated fallback paths remain in tier-1.yml

references

• sprint-1 pilot PR: ci(woodpecker): tier-1 unauthenticated pilot — sprint-1 closure #50
• fc-pool: heraldstack-firecracker repo, port 8150
• woodpecker server: port 8210, agent bus 8211