From 10a34b12a3e6af7de74a52571a59c2d999f4f543 Mon Sep 17 00:00:00 2001 From: xnoto Date: Fri, 24 Apr 2026 14:00:38 -0600 Subject: [PATCH 1/2] chore: add repo-local opencode config --- opencode.json | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 opencode.json diff --git a/opencode.json b/opencode.json new file mode 100644 index 0000000..b8bcd68 --- /dev/null +++ b/opencode.json @@ -0,0 +1,37 @@ +{ + "$schema": "https://opencode.ai/config.json", + "mcp": { + "agent-hub": {"type": "local", "command": ["npx", "-y", "agent-hub-mcp@latest"], "enabled": true}, + "context-mode": {"type": "local", "command": ["context-mode"], "enabled": true}, + "context7": {"type": "remote", "url": "https://mcp.context7.com/mcp", "enabled": true}, + "github": {"type": "remote", "url": "https://api.githubcopilot.com/mcp/", "enabled": true, "headers": {"Authorization": "Bearer {env:GITHUB_TOKEN}"}}, + "opencode-docs": {"enabled": false}, + "opentofu-docs": {"enabled": false}, + "aws-docs": {"enabled": false}, + "kubernetes": {"enabled": false}, + "tmux": {"enabled": false}, + "linear": {"enabled": false}, + "notion": {"enabled": false}, + "aws-api-staging": {"enabled": false}, + "aws-api-prod": {"enabled": false}, + "grafana": {"enabled": false}, + "terraform-docs": {"enabled": false}, + "argocd-staging-eks": {"enabled": false}, + "argocd-prod-eks": {"enabled": false} + }, + "tools": { + "opencode-docs_*": false, + "opentofu-docs_*": false, + "aws-docs_*": false, + "kubernetes_*": false, + "tmux_*": false, + "linear_*": false, + "notion_*": false, + "aws-api-staging_*": false, + "aws-api-prod_*": false, + "grafana_*": false, + "terraform-docs_*": false, + "argocd-staging-eks_*": false, + "argocd-prod-eks_*": false + } +} From 4f8caddcab0c1d4c9f912fdc2b9f52bf5a42f8f1 Mon Sep 17 00:00:00 2001 From: xnoto Date: Wed, 29 Apr 2026 15:22:30 -0600 Subject: [PATCH 2/2] feat(tfroot-runner): bump tooling; replace oc with kubectl Pin updates: CHECKOV_VERSION 3.2.504 -> 3.2.525 PRECOMMIT_VERSION 4.5.1 -> 4.6.0 OPENTOFU_VERSION 1.11.5 -> 1.11.6 SOPS_VERSION 3.11.0 -> 3.12.2 TERRAFORM_DOCS_VERSION 0.21.0 -> 0.22.0 TFUPDATE_VERSION 0.9.1 -> 0.9.3 TFLINT_VERSION 0.61.0 -> 0.62.0 INFRACOST_VERSION 0.10.43 -> 0.10.44 conventional-pre-commit hook v4.3.0 -> v4.4.0 The terraform-docs bump in particular fixes a months-long divergence where the Homebrew formula moved to v0.22.0 while CI was pinned at v0.21.0, causing local pre-commit runs to regenerate README markdown tables in a format CI rejected. Drops the OpenShift CLI install (and the gcompat alpine package that was only there to provide glibc compat for the oc binary). Adds kubectl as the replacement (KUBECTL_VERSION=1.36.0); the new PostSync hooks in kustomize-cluster use kubectl directly. Tools: terraform-docs, opentofu/tofu, sops, kustomize, tfupdate, hcledit, tflint, infracost, kubectl (new), pre-commit, checkov. --- .github/workflows/pull.yml | 54 ---------------------------- tfroot-runner/Containerfile | 27 +++++++------- tfroot-runner/pre-commit-config.yaml | 2 +- 3 files changed, 14 insertions(+), 69 deletions(-) delete mode 100644 .github/workflows/pull.yml diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml deleted file mode 100644 index 395bcb1..0000000 --- a/.github/workflows/pull.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -name: Pull - -on: - workflow_run: - workflows: ["Build"] - types: - - completed - -permissions: - contents: read - -jobs: - detect: - runs-on: arc - if: ${{ github.event.workflow_run.conclusion == 'success' }} - outputs: - images: ${{ steps.find.outputs.images }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Find all images - id: find - run: | - images=$(find . -maxdepth 2 -name Containerfile | cut -d'/' -f2 | jq -R -s -c 'split("\n") | map(select(length > 0))') - echo "images=$images" >> "$GITHUB_OUTPUT" - - import: - needs: detect - if: needs.detect.outputs.images != '[]' - runs-on: arc - strategy: - matrix: - image: ${{ fromJson(needs.detect.outputs.images) }} - - steps: - - name: Install OpenShift CLI - uses: redhat-actions/oc-installer@v1 - - - name: Login to OpenShift - uses: redhat-actions/oc-login@v1 - with: - openshift_server_url: ${{ secrets.OPENSHIFT_SERVER_URL }} - openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} - insecure_skip_tls_verify: true - - - name: Import image to OpenShift - run: | - oc import-image ${{ matrix.image }}:latest \ - --from=ghcr.io/makeitworkcloud/${{ matrix.image }}:latest \ - -n public-registry \ - --confirm \ - --reference-policy=local || true diff --git a/tfroot-runner/Containerfile b/tfroot-runner/Containerfile index 832c2e2..65165fd 100644 --- a/tfroot-runner/Containerfile +++ b/tfroot-runner/Containerfile @@ -7,8 +7,8 @@ RUN apk add --no-cache \ build-base libffi-dev git # Install Python packages that need compilation -ARG CHECKOV_VERSION=3.2.504 -ARG PRECOMMIT_VERSION=4.5.1 +ARG CHECKOV_VERSION=3.2.525 +ARG PRECOMMIT_VERSION=4.6.0 RUN pip install --no-cache-dir --break-system-packages --root=/install --prefix=/usr \ pre-commit==${PRECOMMIT_VERSION} checkov==${CHECKOV_VERSION} @@ -20,7 +20,6 @@ LABEL description="Alpine-based IaC runner for OpenTofu/Terraform on AMD64 archi # Install runtime dependencies # cdrkit provides genisoimage equivalent (mkisofs) # binutils provides strip for binary size reduction -# gcompat provides glibc compatibility for oc binary # hadolint ignore=DL3018 RUN apk add --no-cache \ curl unzip gnupg \ @@ -32,20 +31,20 @@ RUN apk add --no-cache \ cdrkit \ bash \ binutils \ - gcompat \ make # Copy Python packages from builder COPY --from=builder /install / # Tool versions -ARG OPENTOFU_VERSION=1.11.5 -ARG SOPS_VERSION=3.11.0 -ARG TERRAFORM_DOCS_VERSION=0.21.0 -ARG TFUPDATE_VERSION=0.9.1 +ARG OPENTOFU_VERSION=1.11.6 +ARG SOPS_VERSION=3.12.2 +ARG TERRAFORM_DOCS_VERSION=0.22.0 +ARG TFUPDATE_VERSION=0.9.3 ARG HCLEDIT_VERSION=0.2.17 -ARG TFLINT_VERSION=0.61.0 -ARG INFRACOST_VERSION=0.10.43 +ARG TFLINT_VERSION=0.62.0 +ARG INFRACOST_VERSION=0.10.44 +ARG KUBECTL_VERSION=1.36.0 # Install all binary tools in a single layer, strip debug symbols, clean up # hadolint ignore=DL3003,DL4006 @@ -57,9 +56,9 @@ RUN set -eux; \ # OpenTofu (and symlink as terraform) curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh -s -- --install-method standalone --opentofu-version "${OPENTOFU_VERSION}"; \ ln -s /usr/local/bin/tofu /usr/local/bin/terraform; \ - # OpenShift CLI - curl -L https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz | tar xz -C /usr/local/bin oc; \ - chmod +x /usr/local/bin/oc; \ + # kubectl + curl -fsSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl; \ + chmod +x /usr/local/bin/kubectl; \ # Kustomize (script outputs to current directory) cd /tmp && curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash; \ mv /tmp/kustomize /usr/local/bin/; \ @@ -82,7 +81,7 @@ RUN set -eux; \ # Strip debug symbols from all Go/Rust binaries strip /usr/local/bin/sops \ /usr/local/bin/tofu \ - /usr/local/bin/oc \ + /usr/local/bin/kubectl \ /usr/local/bin/kustomize \ /usr/local/bin/terraform-docs \ /usr/local/bin/tfupdate \ diff --git a/tfroot-runner/pre-commit-config.yaml b/tfroot-runner/pre-commit-config.yaml index 4e048ac..9f0a89a 100644 --- a/tfroot-runner/pre-commit-config.yaml +++ b/tfroot-runner/pre-commit-config.yaml @@ -5,7 +5,7 @@ # To update hooks for all tfroot repos, modify this file and rebuild the image. repos: - repo: https://github.com/compilerla/conventional-pre-commit - rev: v4.3.0 + rev: v4.4.0 hooks: - id: conventional-pre-commit stages: [commit-msg]