feat(tfroot-runner): bump tooling; replace oc with kubectl; drop OpenShift import workflow

opencode.json

@@ -0,0 +1,37 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "mcp": {
+    "agent-hub": {"type": "local", "command": ["npx", "-y", "agent-hub-mcp@latest"], "enabled": true},
+    "context-mode": {"type": "local", "command": ["context-mode"], "enabled": true},
+    "context7": {"type": "remote", "url": "https://mcp.context7.com/mcp", "enabled": true},
+    "github": {"type": "remote", "url": "https://api.githubcopilot.com/mcp/", "enabled": true, "headers": {"Authorization": "Bearer {env:GITHUB_TOKEN}"}},
+    "opencode-docs": {"enabled": false},
+    "opentofu-docs": {"enabled": false},
+    "aws-docs": {"enabled": false},
+    "kubernetes": {"enabled": false},
+    "tmux": {"enabled": false},
+    "linear": {"enabled": false},
+    "notion": {"enabled": false},
+    "aws-api-staging": {"enabled": false},
+    "aws-api-prod": {"enabled": false},
+    "grafana": {"enabled": false},
+    "terraform-docs": {"enabled": false},
+    "argocd-staging-eks": {"enabled": false},
+    "argocd-prod-eks": {"enabled": false}
+  },
+  "tools": {
+    "opencode-docs_*": false,
+    "opentofu-docs_*": false,
+    "aws-docs_*": false,
+    "kubernetes_*": false,
+    "tmux_*": false,
+    "linear_*": false,
+    "notion_*": false,
+    "aws-api-staging_*": false,
+    "aws-api-prod_*": false,
+    "grafana_*": false,
+    "terraform-docs_*": false,
+    "argocd-staging-eks_*": false,
+    "argocd-prod-eks_*": false
+  }
+}

tfroot-runner/Containerfile

@@ -7,8 +7,8 @@ RUN apk add --no-cache \
     build-base libffi-dev git
 
 # Install Python packages that need compilation
-ARG CHECKOV_VERSION=3.2.504
-ARG PRECOMMIT_VERSION=4.5.1
+ARG CHECKOV_VERSION=3.2.525
+ARG PRECOMMIT_VERSION=4.6.0
 RUN pip install --no-cache-dir --break-system-packages --root=/install --prefix=/usr \
     pre-commit==${PRECOMMIT_VERSION} checkov==${CHECKOV_VERSION}
 
@@ -20,7 +20,6 @@ LABEL description="Alpine-based IaC runner for OpenTofu/Terraform on AMD64 archi
 # Install runtime dependencies
 # cdrkit provides genisoimage equivalent (mkisofs)
 # binutils provides strip for binary size reduction
-# gcompat provides glibc compatibility for oc binary
 # hadolint ignore=DL3018
 RUN apk add --no-cache \
     curl unzip gnupg \
@@ -32,20 +31,20 @@ RUN apk add --no-cache \
     cdrkit \
     bash \
     binutils \
-    gcompat \
     make
 
 # Copy Python packages from builder
 COPY --from=builder /install /
 
 # Tool versions
-ARG OPENTOFU_VERSION=1.11.5
-ARG SOPS_VERSION=3.11.0
-ARG TERRAFORM_DOCS_VERSION=0.21.0
-ARG TFUPDATE_VERSION=0.9.1
+ARG OPENTOFU_VERSION=1.11.6
+ARG SOPS_VERSION=3.12.2
+ARG TERRAFORM_DOCS_VERSION=0.22.0
+ARG TFUPDATE_VERSION=0.9.3
 ARG HCLEDIT_VERSION=0.2.17
-ARG TFLINT_VERSION=0.61.0
-ARG INFRACOST_VERSION=0.10.43
+ARG TFLINT_VERSION=0.62.0
+ARG INFRACOST_VERSION=0.10.44
+ARG KUBECTL_VERSION=1.36.0
 
 # Install all binary tools in a single layer, strip debug symbols, clean up
 # hadolint ignore=DL3003,DL4006
@@ -57,9 +56,9 @@ RUN set -eux; \
     # OpenTofu (and symlink as terraform)
     curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh | sh -s -- --install-method standalone --opentofu-version "${OPENTOFU_VERSION}"; \
     ln -s /usr/local/bin/tofu /usr/local/bin/terraform; \
-    # OpenShift CLI
-    curl -L https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz | tar xz -C /usr/local/bin oc; \
-    chmod +x /usr/local/bin/oc; \
+    # kubectl
+    curl -fsSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl; \
+    chmod +x /usr/local/bin/kubectl; \
     # Kustomize (script outputs to current directory)
     cd /tmp && curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash; \
     mv /tmp/kustomize /usr/local/bin/; \
@@ -82,7 +81,7 @@ RUN set -eux; \
     # Strip debug symbols from all Go/Rust binaries
     strip /usr/local/bin/sops \
           /usr/local/bin/tofu \
-          /usr/local/bin/oc \
+          /usr/local/bin/kubectl \
           /usr/local/bin/kustomize \
           /usr/local/bin/terraform-docs \
           /usr/local/bin/tfupdate \

tfroot-runner/pre-commit-config.yaml

@@ -5,7 +5,7 @@
 # To update hooks for all tfroot repos, modify this file and rebuild the image.
 repos:
   - repo: https://github.com/compilerla/conventional-pre-commit
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: conventional-pre-commit
         stages: [commit-msg]