fix(firestartr-bootstrap): bootstrap fails on GitHub App team access and private GHCR pulls

[vieitesss]

Summary

While bootstrapping pre-vieitesss with firestartr-bootstrap, we found two module-level failure modes in the Import and create the basic CRs and Claims / validation flow.

Errors observed

1. Membership import fails when the init/operator pod uses the controller GitHub App without org Members permission:

FirestartrGithubMembership/vieitesss error loading resources: HttpError: Not Found - https://docs.github.com/rest/teams/teams#get-a-team-by-name
GET /orgs/pre-vieitesss/teams/pre-vieitesss-all - 404

The team exists and the admin/bootstrap app can read it. The controller app token receives 404 because it does not have org Members read/write permission.

2. Bootstrap validation/rendering pulls private GHCR images anonymously:

failed to resolve image "ghcr.io/prefapp/gitops-k8s:v2.1.0_slim" ... failed to authorize ... 403 Forbidden

ghcr.io/prefapp/gitops-k8s requires package read access. The module should authenticate GHCR pulls with prefappBotPat or another documented token with read:packages.

3. When adding authenticated validation with Dagger, using secret env expansion fails:

expand cannot be used with secret env variable "GHCR_TOKEN"

Validation should avoid expanding secret env vars directly, e.g. mount a Docker auth config secret for crane manifest.

Expected behavior

• Bootstrap docs/config should clearly state that the controller GitHub App needs org Members permission if it is used to provision/import memberships.
• Private ghcr.io/prefapp/gitops-k8s pulls should be authenticated during both validation and render steps.
• Validation errors should distinguish missing image from unauthorized private package access.

Notes

Temporary workaround tested locally: use the admin/bootstrap GitHub App for the init pod during bootstrap, and authenticate GHCR pulls using prefappBotPat.