feat(tfroot-runner): bump tooling; replace oc with kubectl; drop OpenShift import workflow (#2)

## Summary

- Bump every pinned tool in `tfroot-runner/Containerfile` to current
latest:
  | Tool | Old | New |
  |---|---|---|
  | terraform-docs | 0.21.0 | **0.22.0** |
  | opentofu | 1.11.5 | 1.11.6 |
  | sops | 3.11.0 | 3.12.2 |
  | tflint | 0.61.0 | 0.62.0 |
  | tfupdate | 0.9.1 | 0.9.3 |
  | infracost | 0.10.43 | 0.10.44 |
  | checkov | 3.2.504 | 3.2.525 |
  | pre-commit | 4.5.1 | 4.6.0 |
  | conventional-pre-commit (hook) | v4.3.0 | v4.4.0 |

- The **terraform-docs 0.21.0 → 0.22.0** bump fixes a months-long
local-vs-CI divergence (Homebrew shipped v0.22.0; CI image stuck at
v0.21.0 → README markdown tables regenerated in different formats
locally vs in CI).

- **Drop `oc` (OpenShift CLI) + `gcompat`** (alpine package, only needed
for oc's glibc linking) — OpenShift Local is gone from the stack.
- **Add `kubectl 1.36.0`** as the replacement; the new PostSync hooks in
kustomize-cluster (`wait-for-crds`, `wait-for-repo-server`,
`ci-token-sync`) use kubectl directly.

- **Delete `.github/workflows/pull.yml`** — this workflow imported each
built image into OpenShift's internal registry at
`image-registry.openshift-image-registry.svc:5000/public-registry/<image>:latest`.
With CRC retired and consumers (CI workflows in tfroot-libvirt and
kustomize-cluster) already pulling directly from
`ghcr.io/makeitworkcloud/...:latest`, the import is dead code.

Bundles the previously-staged repo-local opencode config (the prior
commit on this branch).

## Test plan

- [x] `pre-commit` runs clean locally (hadolint not installed locally;
CI's `Build` workflow runs hadolint via the buildah job)
- [ ] CI `Build` job passes on PR (rebuilds image without push)
- [x] On merge: `Build` workflow rebuilds and pushes new
`tfroot-runner:latest` to `ghcr.io/makeitworkcloud`
- [ ] After merge: re-running CI on tfroot-libvirt PR #2 and any other
tfroot-* repo will use the new image with terraform-docs v0.22.0, fixing
the README format drift

Author: xnoto

.github/workflows/pull.yml

@@ -0,0 +1,37 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "mcp": {
+    "agent-hub": {"type": "local", "command": ["npx", "-y", "agent-hub-mcp@latest"], "enabled": true},
+    "context-mode": {"type": "local", "command": ["context-mode"], "enabled": true},
+    "context7": {"type": "remote", "url": "https://mcp.context7.com/mcp", "enabled": true},
+    "github": {"type": "remote", "url": "https://api.githubcopilot.com/mcp/", "enabled": true, "headers": {"Authorization": "Bearer {env:GITHUB_TOKEN}"}},
+    "opencode-docs": {"enabled": false},
+    "opentofu-docs": {"enabled": false},
+    "aws-docs": {"enabled": false},
+    "kubernetes": {"enabled": false},
+    "tmux": {"enabled": false},
+    "linear": {"enabled": false},
+    "notion": {"enabled": false},
+    "aws-api-staging": {"enabled": false},
+    "aws-api-prod": {"enabled": false},
+    "grafana": {"enabled": false},
+    "terraform-docs": {"enabled": false},
+    "argocd-staging-eks": {"enabled": false},
+    "argocd-prod-eks": {"enabled": false}
+  },
+  "tools": {
+    "opencode-docs_*": false,
+    "opentofu-docs_*": false,
+    "aws-docs_*": false,
+    "kubernetes_*": false,
+    "tmux_*": false,
+    "linear_*": false,
+    "notion_*": false,
+    "aws-api-staging_*": false,
+    "aws-api-prod_*": false,
+    "grafana_*": false,
+    "terraform-docs_*": false,
+    "argocd-staging-eks_*": false,
+    "argocd-prod-eks_*": false
+  }
+}

opencode.json

@@ -7,8 +7,8 @@ RUN apk add --no-cache \
     build-base libffi-dev git
 
 # Install Python packages that need compilation
-ARG CHECKOV_VERSION=3.2.504
-ARG PRECOMMIT_VERSION=4.5.1
+ARG CHECKOV_VERSION=3.2.525
+ARG PRECOMMIT_VERSION=4.6.0
 RUN pip install --no-cache-dir --break-system-packages --root=/install --prefix=/usr \
     pre-commit==${PRECOMMIT_VERSION} checkov==${CHECKOV_VERSION}
 
@@ -20,7 +20,6 @@ LABEL description="Alpine-based IaC runner for OpenTofu/Terraform on AMD64 archi
 # Install runtime dependencies
 # cdrkit provides genisoimage equivalent (mkisofs)
 # binutils provides strip for binary size reduction
-# gcompat provides glibc compatibility for oc binary
 # hadolint ignore=DL3018
 RUN apk add --no-cache \
     curl unzip gnupg \
@@ -32,20 +31,20 @@ RUN apk add --no-cache \
     cdrkit \
     bash \
     binutils \
-    gcompat \
     make
 
 # Copy Python packages from builder
 COPY --from=builder /install /
 
 # Tool versions
-ARG OPENTOFU_VERSION=1.11.5
-ARG SOPS_VERSION=3.11.0
-ARG TERRAFORM_DOCS_VERSION=0.21.0
-ARG TFUPDATE_VERSION=0.9.1
+ARG OPENTOFU_VERSION=1.11.6
+ARG SOPS_VERSION=3.12.2
+ARG TERRAFORM_DOCS_VERSION=0.22.0
+ARG TFUPDATE_VERSION=0.9.3
 ARG HCLEDIT_VERSION=0.2.17
-ARG TFLINT_VERSION=0.61.0
-ARG INFRACOST_VERSION=0.10.43
+ARG TFLINT_VERSION=0.62.0
+ARG INFRACOST_VERSION=0.10.44
+ARG KUBECTL_VERSION=1.36.0
 
 # Install all binary tools in a single layer, strip debug symbols, clean up
 # hadolint ignore=DL3003,DL4006
@@ -57,9 +56,9 @@ RUN set -eux; \
     # OpenTofu (and symlink as terraform)
     curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh -s -- --install-method standalone --opentofu-version "${OPENTOFU_VERSION}"; \
     ln -s /usr/local/bin/tofu /usr/local/bin/terraform; \
-    # OpenShift CLI
-    curl -L https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz | tar xz -C /usr/local/bin oc; \
-    chmod +x /usr/local/bin/oc; \
+    # kubectl
+    curl -fsSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl; \
+    chmod +x /usr/local/bin/kubectl; \
     # Kustomize (script outputs to current directory)
     cd /tmp && curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash; \
     mv /tmp/kustomize /usr/local/bin/; \
@@ -82,7 +81,7 @@ RUN set -eux; \
     # Strip debug symbols from all Go/Rust binaries
     strip /usr/local/bin/sops \
           /usr/local/bin/tofu \
-          /usr/local/bin/oc \
+          /usr/local/bin/kubectl \
           /usr/local/bin/kustomize \
           /usr/local/bin/terraform-docs \
           /usr/local/bin/tfupdate \

tfroot-runner/Containerfile

@@ -5,7 +5,7 @@
 # To update hooks for all tfroot repos, modify this file and rebuild the image.
 repos:
   - repo: https://github.com/compilerla/conventional-pre-commit
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: conventional-pre-commit
         stages: [commit-msg]