[User Story] Create runbook for rotating CI/CD tokens and secrets

[noahwhite]

Story Summary

As a platform maintainer, I want a documented runbook for rotating all CI/CD tokens and secrets, so that token rotation is a repeatable, well-understood process.

---

✅ Acceptance Criteria

• Document all tokens/secrets used by ghost-stack CI/CD workflows:
  • GHCR token (GitHub Container Registry)
  • BWS_ACCESS_TOKEN (Bitwarden Secrets Manager)
  • GitHub PAT (if applicable)
  • Any environment-specific secrets
• For each token, document:
  • Where it's created/managed
  • Expiration policy (if any)
  • Steps to rotate
  • Where to update (GitHub Secrets, Bitwarden, etc.)
  • How to verify rotation was successful
• Add runbook to docs/ directory and CLAUDE.md
• Include troubleshooting steps for common rotation issues

---

📝 Additional Context

• Triggered by: GHCR token expiration causing workflow failures
• Location: Should be added to docs/secrets-management.md or new docs/token-rotation-runbook.md
• Related: Existing docs in docs/secrets-management.md

---

📦 Definition of Ready

• Acceptance criteria defined
• No unresolved external dependencies
• Story is estimated
• Team has necessary skills and access
• Priority is clear
• Business value understood

---

✅ Definition of Done

• All acceptance criteria met
• Unit/integration tests written & passing (N/A - documentation)
• Peer-reviewed (PR approved)
• Docs updated (if applicable)
• Verified in staging (if needed)
• No critical bugs/regressions

[linear]

GHO-42