Skip to content

feat(tfroot-runner): bump tooling; replace oc with kubectl; drop OpenShift import workflow#2

Merged
xnoto merged 2 commits intomainfrom
chore/add-opencode-config
Apr 29, 2026
Merged

feat(tfroot-runner): bump tooling; replace oc with kubectl; drop OpenShift import workflow#2
xnoto merged 2 commits intomainfrom
chore/add-opencode-config

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 24, 2026
edited
Loading

Summary

  • Bump every pinned tool in tfroot-runner/Containerfile to current latest:

    Tool Old New
    terraform-docs 0.21.0 0.22.0
    opentofu 1.11.5 1.11.6
    sops 3.11.0 3.12.2
    tflint 0.61.0 0.62.0
    tfupdate 0.9.1 0.9.3
    infracost 0.10.43 0.10.44
    checkov 3.2.504 3.2.525
    pre-commit 4.5.1 4.6.0
    conventional-pre-commit (hook) v4.3.0 v4.4.0

  • The terraform-docs 0.21.0 → 0.22.0 bump fixes a months-long local-vs-CI divergence (Homebrew shipped v0.22.0; CI image stuck at v0.21.0 → README markdown tables regenerated in different formats locally vs in CI).

  • Drop oc (OpenShift CLI) + gcompat (alpine package, only needed for oc's glibc linking) — OpenShift Local is gone from the stack.

  • Add kubectl 1.36.0 as the replacement; the new PostSync hooks in kustomize-cluster (wait-for-crds, wait-for-repo-server, ci-token-sync) use kubectl directly.

  • Delete .github/workflows/pull.yml — this workflow imported each built image into OpenShift's internal registry at image-registry.openshift-image-registry.svc:5000/public-registry/<image>:latest. With CRC retired and consumers (CI workflows in tfroot-libvirt and kustomize-cluster) already pulling directly from ghcr.io/makeitworkcloud/...:latest, the import is dead code.

Bundles the previously-staged repo-local opencode config (the prior commit on this branch).

Test plan

  • pre-commit runs clean locally (hadolint not installed locally; CI's Build workflow runs hadolint via the buildah job)
  • CI Build job passes on PR (rebuilds image without push)
  • On merge: Build workflow rebuilds and pushes new tfroot-runner:latest to ghcr.io/makeitworkcloud
  • After merge: re-running CI on tfroot-libvirt PR feat(tfroot-runner): bump tooling; replace oc with kubectl; drop OpenShift import workflow #2 and any other tfroot-* repo will use the new image with terraform-docs v0.22.0, fixing the README format drift

xnoto added 2 commits April 24, 2026 14:00
@xnoto
chore: add repo-local opencode config
10a34b1
@xnoto
feat(tfroot-runner): bump tooling; replace oc with kubectl
4f8cadd 
Pin updates:
  CHECKOV_VERSION       3.2.504  -> 3.2.525
  PRECOMMIT_VERSION     4.5.1    -> 4.6.0
  OPENTOFU_VERSION      1.11.5   -> 1.11.6
  SOPS_VERSION          3.11.0   -> 3.12.2
  TERRAFORM_DOCS_VERSION 0.21.0  -> 0.22.0
  TFUPDATE_VERSION      0.9.1    -> 0.9.3
  TFLINT_VERSION        0.61.0   -> 0.62.0
  INFRACOST_VERSION     0.10.43  -> 0.10.44
  conventional-pre-commit hook  v4.3.0 -> v4.4.0

The terraform-docs bump in particular fixes a months-long divergence
where the Homebrew formula moved to v0.22.0 while CI was pinned at
v0.21.0, causing local pre-commit runs to regenerate README markdown
tables in a format CI rejected.

Drops the OpenShift CLI install (and the gcompat alpine package
that was only there to provide glibc compat for the oc binary).
Adds kubectl as the replacement (KUBECTL_VERSION=1.36.0); the new
PostSync hooks in kustomize-cluster use kubectl directly.

Tools: terraform-docs, opentofu/tofu, sops, kustomize, tfupdate,
hcledit, tflint, infracost, kubectl (new), pre-commit, checkov.
@xnoto xnoto changed the title chore: add repo-local opencode config feat(tfroot-runner): bump tooling; replace oc with kubectl; drop OpenShift import workflow Apr 29, 2026
@xnoto xnoto merged commit 1ad6979 into main Apr 29, 2026
2 checks passed
@xnoto xnoto deleted the chore/add-opencode-config branch April 29, 2026 21:24
@xnoto xnoto mentioned this pull request Apr 29, 2026
Merged
xnoto added a commit that referenced this pull request Apr 29, 2026
@xnoto
fix(ci): skip no-commit-to-branch in CI (#3)
f1baac9 
Hotfix for the post-merge build of #2.

The buildah workflow runs pre-commit on every push to main. The bundled
`no-commit-to-branch` hook (in this repo's own
`.pre-commit-config.yaml`) is intended to block interactive commits to
`main`, not CI runs of pushes that already exist on main. With no `SKIP`
env, the hook fails and the post-merge image build/push to ghcr never
happens.

This adds `SKIP: no-commit-to-branch` to the pre-commit step — same
pattern `shared-workflows/.github/workflows/opentofu.yml` already uses.
@xnoto xnoto mentioned this pull request Apr 29, 2026
Merged
xnoto added a commit that referenced this pull request Apr 29, 2026
@xnoto
ci: also push on workflow_dispatch (manual deploy) (#4)
08e66ab 
Auto-deploy on push-to-main is unchanged. This PR adds workflow_dispatch
as a second trigger that publishes — useful from the Actions pane to
refresh `tfroot-runner:latest` (which still hasn't been republished
since the bump in #2 due to the failed run + path-filter exclusion of
CI-only commits).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto