feat: migrate CI/CD from GHCR to local Harbor registry

- Makefile: GHCR -> registry.celestium.life/stonks-oracle
- GitHub Actions: login to Harbor, use HARBOR_PASSWORD secret
- infra/k8s/*.yaml: all image refs -> registry.celestium.life
- inttest pipeline: remove GHCR pull secret (local registry, no auth)
- Steering docs: update registry/git endpoints

infra/inttest/run_pipeline.sh

@@ -236,15 +236,12 @@ if ! kubectl create namespace "$NAMESPACE"; then
 fi
 
 # ── Create GHCR image pull secret (if token available) ───────────────────────
+# NOTE: Images now served from Harbor at registry.celestium.life (no auth needed for pulls)
+# This block is kept for backward compatibility but is no longer required
 if [ -n "${GHCR_TOKEN:-}" ]; then
-  log "Creating ghcr-credentials secret ..."
-  kubectl create secret docker-registry ghcr-credentials \
-    --docker-server=ghcr.io \
-    --docker-username=celesrenata \
-    --docker-password="$GHCR_TOKEN" \
-    -n "$NAMESPACE" || true
+  log "GHCR_TOKEN set but images are on local Harbor — skipping GHCR secret"
 else
-  log "GHCR_TOKEN not set — skipping image pull secret (images must be pullable without auth)"
+  log "Images served from registry.celestium.life (no pull secret needed)"
 fi
 
 # ── Create Docker Hub pull secret (avoid rate limits) ────────────────────────

infra/k8s/aggregation-worker.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: aggregation-worker
-          image: ghcr.io/celesrenata/stonks-oracle/aggregation:latest
+          image: registry.celestium.life/stonks-oracle/aggregation:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/broker-adapter.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: broker-adapter
-          image: ghcr.io/celesrenata/stonks-oracle/broker-adapter:latest
+          image: registry.celestium.life/stonks-oracle/broker-adapter:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/extractor-worker.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: extractor-worker
-          image: ghcr.io/celesrenata/stonks-oracle/extractor:latest
+          image: registry.celestium.life/stonks-oracle/extractor:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/ingestion-worker.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: ingestion-worker
-          image: ghcr.io/celesrenata/stonks-oracle/ingestion:latest
+          image: registry.celestium.life/stonks-oracle/ingestion:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/lake-publisher.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: lake-publisher
-          image: ghcr.io/celesrenata/stonks-oracle/lake-publisher:latest
+          image: registry.celestium.life/stonks-oracle/lake-publisher:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/parser-worker.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: parser-worker
-          image: ghcr.io/celesrenata/stonks-oracle/parser:latest
+          image: registry.celestium.life/stonks-oracle/parser:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/query-api.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: query-api
-          image: ghcr.io/celesrenata/stonks-oracle/query-api:latest
+          image: registry.celestium.life/stonks-oracle/query-api:latest
           imagePullPolicy: Always
           ports:
             - containerPort: 8000

infra/k8s/recommendation-worker.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: recommendation-worker
-          image: ghcr.io/celesrenata/stonks-oracle/recommendation:latest
+          image: registry.celestium.life/stonks-oracle/recommendation:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/risk-engine.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: risk-engine
-          image: ghcr.io/celesrenata/stonks-oracle/risk:latest
+          image: registry.celestium.life/stonks-oracle/risk:latest
           imagePullPolicy: Always
           ports:
             - containerPort: 8000

infra/k8s/scheduler.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: scheduler
-          image: ghcr.io/celesrenata/stonks-oracle/scheduler:latest
+          image: registry.celestium.life/stonks-oracle/scheduler:latest
           imagePullPolicy: Always
           securityContext:
             allowPrivilegeEscalation: false

infra/k8s/symbol-registry.yaml

@@ -28,7 +28,7 @@ spec:
           type: RuntimeDefault
       containers:
         - name: symbol-registry-api
-          image: ghcr.io/celesrenata/stonks-oracle/symbol-registry:latest
+          image: registry.celestium.life/stonks-oracle/symbol-registry:latest
           imagePullPolicy: Always
           ports:
             - containerPort: 8000