Skip registry ingestion in k8s mode and add Kubernetes deployment examples

.github/workflows/claude-code-review.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 1
 

.github/workflows/claude.yml

@@ -26,7 +26,7 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 1
 

.github/workflows/code-quality.yml

@@ -12,7 +12,7 @@ jobs:
     name: Code Quality Checks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Install uv
         uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7.1.3

.github/workflows/image-build.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

.github/workflows/integration-tests.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

.github/workflows/offline-tests.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
@@ -41,7 +41,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/mcp-optimizer
           tags: |

.github/workflows/releaser-helm-charts.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
 

.github/workflows/update-thv-models.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Install ToolHive
         uses: StacklokLabs/toolhive-actions/install@6a095f99aa2fd6cd92cf0bb94bdf509b99820c06 # v0.0.3
@@ -115,7 +115,7 @@ jobs:
       - name: Create Pull Request
         if: steps.check-changes.outputs.has_changes == 'true'
         id: create-pr
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
         with:
           # Ensure PR related actions (quality checks) are triggered, see
           # https://github.com/peter-evans/create-pull-request/issues/48#issuecomment-536204092

Taskfile.yml

@@ -120,3 +120,18 @@ tasks:
     desc: Run container offline mode tests
     cmds:
       - ./scripts/test-offline.sh
+
+  k8s-apply-examples:
+    desc: Apply all MCP server examples to Kubernetes cluster
+    cmds:
+      - ./examples/mcp-servers/apply-mcp-servers.sh
+
+  k8s-delete-examples:
+    desc: Delete all MCP server examples from Kubernetes cluster
+    cmds:
+      - ./examples/mcp-servers/delete-mcp-servers.sh
+
+  k8s-status-examples:
+    desc: Check status of all MCP server examples
+    cmds:
+      - ./examples/mcp-servers/status-mcp-servers.sh

examples/mcp-servers/README.md

@@ -20,6 +20,46 @@ Before deploying these example servers, you must:
 
 ## Quick Start
 
+### 0. Create GitHub Secrets (Required for pulling images and GitHub API access)
+
+Before deploying any servers, create the required GitHub secrets. You can use the same GitHub Personal Access Token for both secrets.
+
+**Option 1: Use the convenience script (Recommended)**
+
+```bash
+# Set your GitHub token and username
+export GITHUB_TOKEN=your_token_here
+export GITHUB_USERNAME=your_username  # Optional, will prompt if not set
+
+# Run the script to create both secrets
+./examples/mcp-servers/create-github-secrets.sh
+```
+
+**Option 2: Create secrets manually**
+
+```bash
+# Set your token and username
+GITHUB_TOKEN=your_token_here
+GITHUB_USERNAME=your_username
+
+# Create the pull secret for ghcr.io
+kubectl create secret docker-registry ghcr-pull-secret \
+  --docker-server=ghcr.io \
+  --docker-username=$GITHUB_USERNAME \
+  --docker-password=$GITHUB_TOKEN \
+  -n toolhive-system
+
+# Create the GitHub API token secret
+kubectl create secret generic github-token -n toolhive-system \
+  --from-literal=token=$GITHUB_TOKEN
+```
+
+**Note:** You need a GitHub Personal Access Token with:
+- `read:packages` scope for pulling images from ghcr.io
+- GitHub API scopes (repo, read:org, etc.) for MCP server access
+
+The `shared-serviceaccount.yaml` will automatically reference the pull secret, making it available to all MCP servers that use the shared service account.
+
 ### 1. Install Fetch Server
 
 ```bash
@@ -30,16 +70,52 @@ kubectl get mcpserver fetch -n toolhive-system
 ### 2. Install GitHub Server
 
 ```bash
-# Create GitHub token secret first
-kubectl create secret generic github-token -n toolhive-system \
-  --from-literal=token=YOUR_GITHUB_TOKEN_HERE
+# Note: If you used the create-github-secrets.sh script in step 0, 
+# the github-token secret already exists. You can skip creating it again.
 
 # Deploy GitHub server
 kubectl apply -f examples/mcp-servers/mcpserver_github.yaml
 kubectl get mcpserver github -n toolhive-system
 ```
 
-### 3. Verify Deployment
+**Alternative:** If you didn't use the script, create the github-token secret manually:
+```bash
+kubectl create secret generic github-token -n toolhive-system \
+  --from-literal=token=YOUR_GITHUB_TOKEN_HERE
+```
+
+### 3. Install ToolHive Doc MCP Server
+
+The ToolHive Doc MCP server provides documentation search and retrieval capabilities.
+
+```bash
+# Note: This server uses the same github-token secret as the GitHub server
+# If you've already created github-token secret in step 2, you can skip creating it again
+
+# Deploy ToolHive Doc MCP server
+kubectl apply -f examples/mcp-servers/mcpserver_toolhive-doc-mcp.yaml
+kubectl get mcpserver toolhive-doc-mcp -n toolhive-system
+```
+
+### 4. Install MCP Optimizer
+
+MCP Optimizer aggregates tools from all MCP servers in the cluster and provides unified tool discovery.
+
+```bash
+# Deploy MCP Optimizer (includes ServiceAccount and RBAC)
+kubectl apply -f examples/mcp-servers/mcpserver_mcp-optimizer.yaml
+
+# Verify deployment
+kubectl get mcpserver mcp-optimizer -n toolhive-system
+kubectl get pods -n toolhive-system | grep mcp-optimizer
+
+# Check logs to see tool discovery
+kubectl logs -n toolhive-system -l app.kubernetes.io/name=mcp-optimizer --tail=50
+```
+
+**Note:** MCP Optimizer requires RBAC permissions to discover MCPServer resources in the cluster. The example includes the necessary ServiceAccount, ClusterRole, and ClusterRoleBinding.
+
+### 5. Verify Deployment
 
 Check that MCP Optimizer discovers the deployed servers:
 
@@ -87,8 +163,12 @@ For client configuration (Cursor, VSCode, Claude Desktop), see [Connecting Clien
 
 ## Files
 
-- **`mcpserver_fetch.yaml`** - Fetch server for web scraping and URL fetching
-- **`mcpserver_github.yaml`** - GitHub API integration server
+- **`create-github-secrets.sh`** - Convenience script to create both GitHub secrets from GITHUB_TOKEN environment variable
+- **`shared-serviceaccount.yaml`** - Shared ServiceAccount with cluster-wide imagePullSecrets for ghcr.io (applied automatically)
+- **`mcpserver_fetch.yaml`** - Fetch server for web scraping and URL fetching (uses shared ServiceAccount)
+- **`mcpserver_github.yaml`** - GitHub API integration server (uses shared ServiceAccount)
+- **`mcpserver_toolhive-doc-mcp.yaml`** - ToolHive documentation search and retrieval server (uses shared ServiceAccount, shares github-token secret)
+- **`mcpserver_mcp-optimizer.yaml`** - MCP Optimizer server that aggregates tools from all MCP servers (includes its own ServiceAccount with imagePullSecrets and RBAC)
 
 ## Complete Documentation
 

examples/mcp-servers/apply-mcp-servers.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Apply all MCP server examples to Kubernetes cluster
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+EXAMPLES_DIR="${SCRIPT_DIR}"
+
+echo "Applying MCP server examples..."
+echo ""
+
+# Check if kubectl is available
+if ! command -v kubectl &> /dev/null; then
+    echo "Error: kubectl is not installed or not in PATH"
+    exit 1
+fi
+
+# Check if namespace exists
+if ! kubectl get namespace toolhive-system &> /dev/null; then
+    echo "Creating toolhive-system namespace..."
+    kubectl create namespace toolhive-system
+fi
+
+# Check if GitHub secrets exist, prompt to create if not
+echo "Checking for GitHub secrets..."
+if ! kubectl get secret ghcr-pull-secret -n toolhive-system &> /dev/null; then
+    echo "  Warning: ghcr-pull-secret does not exist"
+    echo "  Images from ghcr.io may fail to pull without this secret"
+    echo "  Create it with:"
+    echo "    export GITHUB_TOKEN=your_token_here"
+    echo "    export GITHUB_USERNAME=your_username"
+    echo "    ./examples/mcp-servers/create-github-secrets.sh"
+    echo "  Continuing anyway..."
+else
+    echo "  ✓ ghcr-pull-secret found"
+fi
+
+if ! kubectl get secret github-token -n toolhive-system &> /dev/null; then
+    echo "  Warning: github-token secret does not exist"
+    echo "  GitHub MCP servers may fail without this secret"
+    echo "  Create it with:"
+    echo "    export GITHUB_TOKEN=your_token_here"
+    echo "    export GITHUB_USERNAME=your_username"
+    echo "    ./examples/mcp-servers/create-github-secrets.sh"
+    echo "  Continuing anyway..."
+else
+    echo "  ✓ github-token found"
+fi
+
+# Apply shared ServiceAccount with imagePullSecrets
+echo ""
+echo "Applying shared-serviceaccount.yaml..."
+kubectl apply -f "${EXAMPLES_DIR}/shared-serviceaccount.yaml"
+
+# Apply MCP servers
+echo ""
+echo "Applying MCP servers..."
+kubectl apply -f "${EXAMPLES_DIR}/mcpserver_fetch.yaml"
+kubectl apply -f "${EXAMPLES_DIR}/mcpserver_github.yaml"
+kubectl apply -f "${EXAMPLES_DIR}/mcpserver_toolhive-doc-mcp.yaml"
+kubectl apply -f "${EXAMPLES_DIR}/mcpserver_mcp-optimizer.yaml"
+
+echo ""
+echo "✓ Applied all MCP server examples!"
+echo ""
+echo "Check status with: kubectl get mcpservers -n toolhive-system"
+echo "Check pods with: kubectl get pods -n toolhive-system"
+