fix: add kubectl/helm install + RBAC for integration-test CI job

- Install kubectl and helm in integration-test runner (DinD image lacks them)
- Configure kubectl with in-cluster service account credentials
- Add ClusterRoleBinding for runner SA to create inttest namespaces
- Add runner-rbac.yaml to runmefirst.sh install sequence

.github/workflows/build.yml

@@ -177,6 +177,36 @@ jobs:
     runs-on: self-hosted-gremlin
     steps:
       - uses: actions/checkout@v5
+
+      - name: Install kubectl
+        run: |
+          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          chmod +x kubectl
+          mv kubectl /usr/local/bin/kubectl
+          kubectl version --client
+
+      - name: Install Helm
+        run: |
+          curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+          helm version
+
+      - name: Configure kubectl
+        run: |
+          # Use in-cluster service account if available, otherwise skip
+          if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
+            kubectl config set-cluster in-cluster \
+              --server=https://kubernetes.default.svc \
+              --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+            kubectl config set-credentials runner \
+              --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+            kubectl config set-context runner --cluster=in-cluster --user=runner
+            kubectl config use-context runner
+            echo "Using in-cluster service account"
+          else
+            echo "No in-cluster credentials found — kubectl must be pre-configured"
+          fi
+          kubectl cluster-info || echo "WARNING: kubectl cannot reach cluster API"
+
       - name: Run integration tests
         run: |
           bash infra/inttest/run_pipeline.sh \