Batch remote execution: target profiles + K8s tooling (PR 2)

.devcontainer/Dockerfile

@@ -9,6 +9,18 @@ RUN groupadd --gid $USER_GID $USERNAME \
     && mkdir -p /home/$USERNAME/.vscode-server /home/$USERNAME/.pixi-env \
     && chown -R $USERNAME:$USERNAME /home/$USERNAME
 
+# gcloud SDK + kubectl for batch remote targets (K8s, Cloud Run)
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends curl \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY .devcontainer/scripts/on_build/install_gcloud.sh /tmp/install_gcloud.sh
+COPY .devcontainer/scripts/on_build/install_kubectl.sh /tmp/install_kubectl.sh
+RUN chmod +x /tmp/install_gcloud.sh /tmp/install_kubectl.sh \
+    && /tmp/install_gcloud.sh \
+    && /tmp/install_kubectl.sh \
+    && rm /tmp/install_gcloud.sh /tmp/install_kubectl.sh
+
 WORKDIR /workspaces/joshpy
 USER $USERNAME
 CMD ["bash"]

.devcontainer/scripts/on_build/install_gcloud.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# License: BSD-3-Clause
+#
+# SHA256 captured 2026-04-16 from this devcontainer (Codespaces, linux/amd64).
+# Source: https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-526.0.0-linux-x86_64.tar.gz
+# To update: download the new version, run sha256sum, and replace both
+# the version and hash below.
+set -e
+
+GCLOUD_VERSION="526.0.0"
+GCLOUD_SHA256="9d647a35c87e3d6ffe3f0c7331a81b3c7cd02b0bd1cb48b83f6acb5aca75d000"
+
+curl -fsSL "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" -o /tmp/gcloud.tar.gz
+
+if ! echo "${GCLOUD_SHA256}  /tmp/gcloud.tar.gz" | sha256sum --check --status; then
+  echo "ERROR: SHA256 verification failed for google-cloud-cli ${GCLOUD_VERSION}." >&2
+  echo "Expected: ${GCLOUD_SHA256}" >&2
+  echo "Got:      $(sha256sum /tmp/gcloud.tar.gz | cut -d' ' -f1)" >&2
+  echo "The upstream archive may have changed. Re-verify and update the hash." >&2
+  rm /tmp/gcloud.tar.gz
+  exit 1
+fi
+
+tar -xzf /tmp/gcloud.tar.gz -C /opt
+/opt/google-cloud-sdk/install.sh --quiet --usage-reporting=false --command-completion=false --path-update=false
+/opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet
+rm /tmp/gcloud.tar.gz
+
+# Symlink to /usr/local/bin so gcloud and the auth plugin are on the system
+# PATH for all processes — not just interactive shells. kubectl exec's
+# gke-gcloud-auth-plugin as a subprocess, which in turn exec's gcloud;
+# neither inherits shell PATH or Dockerfile ENV PATH reliably.
+ln -sf /opt/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud
+ln -sf /opt/google-cloud-sdk/bin/gsutil /usr/local/bin/gsutil
+ln -sf /opt/google-cloud-sdk/bin/gke-gcloud-auth-plugin /usr/local/bin/gke-gcloud-auth-plugin

.devcontainer/scripts/on_build/install_kubectl.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# License: BSD-3-Clause
+#
+# SHA256 captured 2026-04-16 from this devcontainer (Codespaces, linux/amd64).
+# Source: https://dl.k8s.io/release/v1.31.4/bin/linux/amd64/kubectl
+# To update: download the new version, run sha256sum, and replace both
+# the version and hash below.
+set -e
+
+KUBECTL_VERSION="v1.31.4"
+KUBECTL_SHA256="298e19e9c6c17199011404278f0ff8168a7eca4217edad9097af577023a5620f"
+
+curl -fsSL "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -o /tmp/kubectl
+
+if ! echo "${KUBECTL_SHA256}  /tmp/kubectl" | sha256sum --check --status; then
+  echo "ERROR: SHA256 verification failed for kubectl ${KUBECTL_VERSION}." >&2
+  echo "Expected: ${KUBECTL_SHA256}" >&2
+  echo "Got:      $(sha256sum /tmp/kubectl | cut -d' ' -f1)" >&2
+  echo "The upstream binary may have changed. Re-verify and update the hash." >&2
+  rm /tmp/kubectl
+  exit 1
+fi
+
+install -o root -g root -m 0755 /tmp/kubectl /usr/local/bin/kubectl
+rm /tmp/kubectl

.github/workflows/test.yml

@@ -10,7 +10,7 @@ permissions:
   contents: read
 
 jobs:
-  test:
+  unit-tests:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -20,5 +20,42 @@ jobs:
           pixi-version: latest
           environments: dev
 
-      - name: Run tests
+      - name: Run unit tests
         run: pixi run -e dev test
+
+  integration-tests:
+    runs-on: ubuntu-latest
+    services:
+      minio:
+        image: bitnamilegacy/minio:latest@sha256:b3d51900e846b92f7503ca6be07d2e8c56ebb6a13a60bc71b8777c716c074bcf
+        ports:
+          - 9000:9000
+        env:
+          MINIO_ROOT_USER: minioadmin
+          MINIO_ROOT_PASSWORD: minioadmin
+          MINIO_DEFAULT_BUCKETS: josh-test-bucket:public
+          MINIO_SCHEME: http
+        options: >-
+          --health-cmd "curl -f http://localhost:9000/minio/health/ready || curl -f http://localhost:9000/minio/health/live"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: prefix-dev/setup-pixi@a0af7a228712d6121d37aba47adf55c1332c9c2e # v0.9.4
+        with:
+          pixi-version: latest
+          environments: dev
+
+      - name: Verify MinIO is ready
+        run: curl -f http://localhost:9000/minio/health/ready
+
+      - name: Download Josh JAR
+        run: pixi run get-jars
+
+      - name: Run integration tests
+        run: pixi run -e dev test-integration