fix(ci): exclude secrets.yaml from kubectl apply loop

Prevents CI/CD from overwriting manually patched K8s secrets.
Secrets should be managed separately (GitHub Secrets / sealed-secrets).

Root cause: 03-secrets.yaml contains CHANGE_ME placeholders,
causing pods to crash with "password authentication failed".

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/workflows/deploy-prod.yml

@@ -160,10 +160,13 @@ jobs:
           export KUBECONFIG=${{ env.KUBECONFIG }}
           export PATH=$HOME/bin:$PATH
           echo "📦 Applying K8s manifests..."
-          # 排除 kustomization.yaml (那是給 -k 用的，不能直接 apply)
+          # 排除 kustomization.yaml 與 secrets (Secrets 由手動管理，避免覆蓋)
           for f in k8s/awoooi-prod/*.yaml; do
-            if [[ "$(basename "$f")" != "kustomization.yaml" ]]; then
+            BASENAME="$(basename "$f")"
+            if [[ "$BASENAME" != "kustomization.yaml" && "$BASENAME" != "03-secrets.yaml" && "$BASENAME" != "03-secrets.example.yaml" ]]; then
               kubectl apply -f "$f" --namespace=${{ env.K8S_NAMESPACE }}
+            else
+              echo "⏭️ Skipped: $BASENAME (managed separately)"
             fi
           done