chore(github-runner): gate token provisioning

github-runner-token OnePasswordItem exists but the underlying 1Password
vault item hasn't been created yet, so the operator can't mint the K8s
Secret. Pod stuck in CreateContainerConfigError → DeploymentReplicasMismatch
alert fires.

Scaling to 0 keeps the manifest infrastructure intact but stops trying
to schedule until operator:
1. Creates "GitHub Runner Registration Token" item in IAmWorkin vault
2. Generates a token at github.com/astoltz/<repo>/settings/actions/runners/new
3. Updates the OnePasswordItem itemPath to point at it
4. Bumps replicas back to 1 via PR

apps/github-runner/github-runner.yaml

@@ -24,6 +24,8 @@
 #   expire after 1h — use a fine-grained PAT with admin:org_hook scope
 #   or a re-registration script. See docs/infrastructure/
 #   self-hosted-runner-fleet.md §Security.
+#   Until that item exists and the Secret contains key "credential", this
+#   deployment intentionally stays at replicas: 0.
 #
 # Security model:
 #   - No ClusterRole / ClusterRoleBinding — runner has no K8s API access.
@@ -53,13 +55,18 @@ metadata:
 # 1Password secret sync — creates github-runner-token K8s Secret.
 # Fields expected in the 1Password item:
 #   credential — GitHub runner registration token (or PAT for re-reg script)
-# Item path: IAmWorkin vault > "GitHub Runner Registration Token"
+# Item path convention: vaults/IAmWorkin/items/<exact item title>
-# Operator MUST create this item before the Deployment will start cleanly.
+# Current required title: "GitHub Runner Registration Token"
+# Operator MUST create this item before replicas can be raised above 0.
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
   name: github-runner-token
   namespace: github-runner
+  annotations:
+    flowercore.io/operator-action: "Create IAmWorkin item 'GitHub Runner Registration Token' with field 'credential'."
+    flowercore.io/replica-gate: "Keep Deployment replicas at 0 until github-runner-token Secret exists with key credential."
+    flowercore.io/provisioning-status: "awaiting-operator-secret-provisioning"
   labels:
     app.kubernetes.io/component: credentials
     app.kubernetes.io/part-of: flowercore
@@ -100,6 +107,8 @@ kind: Deployment
 metadata:
   name: github-runner
   namespace: github-runner
+  annotations:
+    flowercore.io/replica-gate: "Scale to 1 only after the 1Password item exists and github-runner-token has key credential."
   labels:
     app.kubernetes.io/name: github-runner
     app.kubernetes.io/component: runner
@@ -111,7 +120,10 @@ spec:
   # one pod at a time. Each pod re-registers as an ephemeral runner after
   # completing a job (EPHEMERAL=true restarts the container, not the pod,
   # so the PVC stays attached between jobs).
-  replicas: 1
+  # Intentionally 0 while the GitHub runner token item is absent. Follow-up
+  # PR should set replicas: 1 only after operator provisioning and Secret
+  # sync verification.
+  replicas: 0
   selector:
     matchLabels:
       app.kubernetes.io/name: github-runner

apps/zabbix/zabbix.yaml

@@ -305,15 +305,17 @@ spec:
               path: /
               port: 8080
             initialDelaySeconds: 60
-            timeoutSeconds: 5
+            timeoutSeconds: 15
             periodSeconds: 10
+            failureThreshold: 3
           readinessProbe:
             httpGet:
               path: /
               port: 8080
             initialDelaySeconds: 30
             periodSeconds: 5
-            timeoutSeconds: 5
+            timeoutSeconds: 15
+            failureThreshold: 3
 ---
 apiVersion: v1
 kind: Service