Context
DEPLOYMENT.md's own fleet-mode framing already describes running "many parallel miner attempts on a host or small cluster," but today only Docker-based artifacts exist for this (a Dockerfile, and a sibling docker-compose.miner.yml issue in this same batch) — there are no Kubernetes manifests anywhere in the repo for the miner package, and the repo-root terraform//k8s-adjacent config that does exist is ORB-specific.
Dependencies
None — independently shippable. It does not require the docker-compose.miner.yml sibling issue in this batch to land first; both are parallel, independent packaging artifacts built on the same existing Dockerfile image.
Requirements
- Add
k8s/miner-deployment.yaml defining a Kubernetes Deployment for the miner CLI-worker, built from the existing Dockerfile image.
- Make replica count configurable (e.g. via a
replicas field an operator edits, or a documented kubectl scale command).
- Set resource requests/limits appropriate for a CLI-worker pod (not a persistent server) — document the reasoning for the chosen values.
- Provide per-pod persistent storage for
/data/miner via a volumeClaimTemplate (or equivalent), ensuring each replica gets isolated state — never a single shared PVC/volume across replicas, since the miner's SQLite-backed local stores are not designed for concurrent multi-pod access.
- Add
k8s/miner-secret.example.yaml as a Secret template for GITHUB_TOKEN (and placeholder keys for coding-agent credentials), consistent with the _FILE-indirection pattern from the sibling secrets-file issue in this batch if that has landed, or plain env references otherwise.
- Document the deploy sequence (
kubectl apply -f k8s/miner-secret.example.yaml after filling in real values, then kubectl apply -f k8s/miner-deployment.yaml) and how to scale replicas, in a new DEPLOYMENT.md section or a k8s/README.md.
- Do not touch any autonomous-loop, governor, claim-ledger, or attempt control-flow — this is packaging/infra only.
Deliverables / Acceptance Criteria
Test Coverage Requirements
This PR must ship with full test coverage for every changed line and branch — the repo's Codecov patch gate requires 99%+ coverage and the house standard is to aim for 100%, including both sides of every conditional/nullish-coalescing branch introduced. Since these are static infra manifests (not src/** logic), Codecov's patch gate does not apply to the YAML itself, but this PR must still ship: (1) an automated validation check (e.g. a script or CI step running kubectl apply --dry-run=client -f k8s/ or a YAML-schema validator) covering both a well-formed manifest (passes) and a deliberately malformed one (fails), exercised as a real test rather than manual eyeballing, (2) an invariant test/assertion confirming the Deployment's storage strategy is per-pod (a volumeClaimTemplate, not one shared PVC referenced by every replica) — the specific safety property this issue introduces, and (3) not applicable as a bug-fix regression test since this is net-new packaging, not a fix.
Expected Outcome
An operator running a small Kubernetes cluster can deploy N isolated miner workers with kubectl apply instead of hand-rolling manifests or being limited to docker-compose/bare docker run.
Links & Resources
- DEPLOYMENT.md — fleet-mode framing this fulfills
- Dockerfile (existing, in
packages/gittensory-miner/) — image the Deployment builds on
- Sibling
docker-compose.miner.yml issue in this batch — the single-host alternative
- Sibling
_FILE secrets-indirection issue in this batch — credential-mounting pattern this Secret template should stay consistent with
- Theme: Self-host packaging & docs
Context
DEPLOYMENT.md's own fleet-mode framing already describes running "many parallel miner attempts on a host or small cluster," but today only Docker-based artifacts exist for this (a Dockerfile, and a sibling
docker-compose.miner.ymlissue in this same batch) — there are no Kubernetes manifests anywhere in the repo for the miner package, and the repo-rootterraform//k8s-adjacent config that does exist is ORB-specific.Dependencies
None — independently shippable. It does not require the
docker-compose.miner.ymlsibling issue in this batch to land first; both are parallel, independent packaging artifacts built on the same existing Dockerfile image.Requirements
k8s/miner-deployment.yamldefining a Kubernetes Deployment for the miner CLI-worker, built from the existing Dockerfile image.replicasfield an operator edits, or a documentedkubectl scalecommand)./data/minervia avolumeClaimTemplate(or equivalent), ensuring each replica gets isolated state — never a single shared PVC/volume across replicas, since the miner's SQLite-backed local stores are not designed for concurrent multi-pod access.k8s/miner-secret.example.yamlas a Secret template forGITHUB_TOKEN(and placeholder keys for coding-agent credentials), consistent with the_FILE-indirection pattern from the sibling secrets-file issue in this batch if that has landed, or plain env references otherwise.kubectl apply -f k8s/miner-secret.example.yamlafter filling in real values, thenkubectl apply -f k8s/miner-deployment.yaml) and how to scale replicas, in a new DEPLOYMENT.md section or ak8s/README.md.Deliverables / Acceptance Criteria
k8s/miner-deployment.yamladded with configurable replicas, sane resource requests/limits, and per-pod persistent volumesk8s/miner-secret.example.yamladded as a Secret template for GITHUB_TOKEN and provider credentialskubectl apply --dry-run=clientor an equivalent schema check)k8s/README.md)Test Coverage Requirements
This PR must ship with full test coverage for every changed line and branch — the repo's Codecov patch gate requires 99%+ coverage and the house standard is to aim for 100%, including both sides of every conditional/nullish-coalescing branch introduced. Since these are static infra manifests (not
src/**logic), Codecov's patch gate does not apply to the YAML itself, but this PR must still ship: (1) an automated validation check (e.g. a script or CI step runningkubectl apply --dry-run=client -f k8s/or a YAML-schema validator) covering both a well-formed manifest (passes) and a deliberately malformed one (fails), exercised as a real test rather than manual eyeballing, (2) an invariant test/assertion confirming the Deployment's storage strategy is per-pod (avolumeClaimTemplate, not one shared PVC referenced by every replica) — the specific safety property this issue introduces, and (3) not applicable as a bug-fix regression test since this is net-new packaging, not a fix.Expected Outcome
An operator running a small Kubernetes cluster can deploy N isolated miner workers with
kubectl applyinstead of hand-rolling manifests or being limited to docker-compose/baredocker run.Links & Resources
packages/gittensory-miner/) — image the Deployment builds ondocker-compose.miner.ymlissue in this batch — the single-host alternative_FILEsecrets-indirection issue in this batch — credential-mounting pattern this Secret template should stay consistent with