docs(#3): go-live note — floating tags must exist before flux resume

While HRs are suspended (Phase 0) the staging/production tags are referenced by
no live workload, so gitea-oci-cleanup can reap them. Document the registry-pins
mitigation and a pre-resume existence check in the first-deploy checklist.

DEPLOYMENT.md

@@ -225,10 +225,24 @@ Both should resolve to the `kotkan` ingress IP (the same one
 
 ### D. First deploy
 
-1. Push to `staging` to trigger the first build. Watch Woodpecker.
-2. Once the image lands, Flux reconciles. Watch the rollout:
+> **Go-live prerequisite — floating tag must exist (issue #3).** While the
+> HelmReleases are `suspend: true` (Phase 0) and no pod is running, the
+> floating `staging`/`production` tags are referenced by **no live workload**.
+> `gitea-oci-cleanup` is fleet-aware and only auto-pins in-use tags, so an
+> unreferenced floating tag is reapable. If it gets reaped before go-live, the
+> `ImagePolicy` has nothing to resolve and the first deploy can't pin a digest.
+> Mitigation: the floating tags are explicitly pinned in
+> `servers/armer/scripts/registry-pins.txt`
+> (`container/cms-plugins==staging`, `container/cms-plugins==production`) so
+> the cleaner always keeps them. Before the first `flux resume`, confirm both
+> tags still exist (`oleks/-/packages/container/cms-plugins`); if not, push the
+> branch to rebuild them first.
+
+1. Re-run/confirm the `staging` build so `git.oleks.space/oleks/cms-plugins:staging` exists. Watch Woodpecker.
+2. Resume the release and watch Flux reconcile + the rollout:
 
    ```bash
+   flux resume helmrelease cms-plugins-staging -n kotkan
    kubectl -n kotkan get pods -w | grep cms-plugins
    flux get all -n flux-system | grep cms-plugins
    ```