make secrets clearer in CI guide

CI_CD_PIPELINE_SETUP_GUIDE.md

@@ -1921,9 +1921,15 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
 - `APP_NAME`: Your application name (e.g., `sharenet`)
 - `POSTGRES_PASSWORD`: A strong password for the PostgreSQL database
 - `REGISTRY_HOST`: Your Forgejo instance's registry URL
-- `REGISTRY_TOKEN`: Personal Access Token with package write permissions
+- `REGISTRY_USERNAME`: Your Forgejo username for registry authentication
+- `REGISTRY_TOKEN`: Personal Access Token with `write:packages` scope for registry pushes
+- `SSH_PRIVATE_KEY`: SSH private key for production deployment access
 
-**Note**: The CI pipeline now uses mTLS authentication for pushes (port 4443) and Cosign for image signing. The registry policy enforces Sigstore signatures for all images consumed from the registry.
+**Optional Secrets (for enhanced security):**
+- `COSIGN_PRIVATE_KEY`: Private key for Cosign image signing
+- `COSIGN_PASSWORD`: Password for Cosign private key
+
+**Security Note**: All secrets are managed by Forgejo and never exposed in logs or environment variables. The ephemeral PiP approach ensures secrets are only used during execution and never persist.