fix: address PR review feedback

- Pin RUNNER_VERSION to 2.321.0 instead of latest for reproducible builds
- Combine skopeo and buildah into a single RUN/apt-get layer
- Remove silent || true from docker load/tag in release workflow
- Mount .hadolint.yaml in release workflow validation step
- Fix semver parsing with proper validation in release push step
- Pass manifest build args in CI test build to match release build
- Fix malformed hadolint pre-commit hook entry
- Track RUNNER_VERSION in update-tools workflow
- Remove duplicate Poetry/UV installs from base stage (only needed for runner user)

https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W

Author: claude

.github/workflows/ci.yaml

@@ -36,5 +36,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install yq
+        run: |
+          sudo curl -sSL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/v4.45.4/yq_linux_amd64"
+          sudo chmod +x /usr/local/bin/yq
+
       - name: Build image
-        run: docker build -f Containerfile -t test-build .
+        run: |
+          BUILD_ARGS=""
+          for arg in $(yq e '.build.args[]' manifest.yaml); do
+            BUILD_ARGS="${BUILD_ARGS} --build-arg ${arg}"
+          done
+          # shellcheck disable=SC2086
+          docker build -f Containerfile ${BUILD_ARGS} -t test-build .

.github/workflows/release.yaml

@@ -52,7 +52,7 @@ jobs:
       - name: Validate Containerfile
         run: |
           docker pull -q ghcr.io/hadolint/hadolint:latest
-          docker run --rm -i hadolint/hadolint:latest < Containerfile
+          docker run --rm -i -v "$(pwd)/.hadolint.yaml:/.hadolint.yaml:ro" hadolint/hadolint:latest hadolint --config /.hadolint.yaml - < Containerfile
 
       - name: Build image
         env:
@@ -95,8 +95,8 @@ jobs:
           buildah push "${IMAGE_NAME}:${IMAGE_VERSION}" "oci-archive:build/${IMAGE_NAME}.tar"
 
           # Load into Docker daemon for dive scan
-          docker load -i "build/${IMAGE_NAME}.tar" 2>/dev/null || true
-          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}" 2>/dev/null || true
+          docker load -i "build/${IMAGE_NAME}.tar"
+          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}"
 
       - name: Dive filesystem scan
         env:
@@ -123,14 +123,17 @@ jobs:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
           REGISTRY: ${{ steps.manifest.outputs.registry }}
         run: |
-          MAJOR_MINOR="${IMAGE_VERSION%.*}"
-          MAJOR="${IMAGE_VERSION%%.*}"
+          IFS='.' read -r MAJOR MINOR PATCH <<< "${IMAGE_VERSION}"
+          if [ -z "${MAJOR}" ] || [ -z "${MINOR}" ] || [ -z "${PATCH}" ]; then
+            echo "Error: IMAGE_VERSION '${IMAGE_VERSION}' is not valid semver (expected MAJOR.MINOR.PATCH)"
+            exit 1
+          fi
 
           # Push semantic version tag (1.2.3)
           skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${IMAGE_VERSION}"
 
           # Push major.minor tag (1.2)
-          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR_MINOR}"
+          skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR}.${MINOR}"
 
           # Push major tag (1)
           skopeo copy --all "oci-archive:build/${IMAGE_NAME}.tar" "docker://${REGISTRY}:${MAJOR}"

.github/workflows/update-tools.yaml

@@ -26,27 +26,31 @@ jobs:
             gh api "repos/${repo}/releases/latest" --jq '.tag_name' | sed 's/^v//'
           }
 
+          RUNNER_LATEST=$(get_latest_version "actions/runner")
           ARGO_LATEST=$(get_latest_version "argoproj/argo-workflows")
           KARGO_LATEST=$(get_latest_version "akuity/kargo")
           PACK_LATEST=$(get_latest_version "buildpacks/pack")
           DIVE_LATEST=$(get_latest_version "wagoodman/dive")
           HADOLINT_LATEST=$(get_latest_version "hadolint/hadolint")
           YQ_LATEST=$(get_latest_version "mikefarah/yq")
 
+          echo "runner=${RUNNER_LATEST}" >> "$GITHUB_OUTPUT"
           echo "argo=${ARGO_LATEST}" >> "$GITHUB_OUTPUT"
           echo "kargo=${KARGO_LATEST}" >> "$GITHUB_OUTPUT"
           echo "pack=${PACK_LATEST}" >> "$GITHUB_OUTPUT"
           echo "dive=${DIVE_LATEST}" >> "$GITHUB_OUTPUT"
           echo "hadolint=${HADOLINT_LATEST}" >> "$GITHUB_OUTPUT"
           echo "yq=${YQ_LATEST}" >> "$GITHUB_OUTPUT"
 
+          RUNNER_CURRENT=$(grep -oP 'RUNNER_VERSION=\K[0-9.]+' Containerfile)
           ARGO_CURRENT=$(grep -oP 'ARGO_VERSION=\K[0-9.]+' Containerfile)
           KARGO_CURRENT=$(grep -oP 'KARGO_VERSION=\K[0-9.]+' Containerfile)
           PACK_CURRENT=$(grep -oP 'PACK_VERSION=\K[0-9.]+' Containerfile)
           DIVE_CURRENT=$(grep -oP 'DIVE_VERSION=\K[0-9.]+' Containerfile)
           HADOLINT_CURRENT=$(grep -oP 'HADOLINT_VERSION=\K[0-9.]+' Containerfile)
           YQ_CURRENT=$(grep -oP 'YQ_VERSION=\K[0-9.]+' Containerfile)
 
+          echo "runner_current=${RUNNER_CURRENT}" >> "$GITHUB_OUTPUT"
           echo "argo_current=${ARGO_CURRENT}" >> "$GITHUB_OUTPUT"
           echo "kargo_current=${KARGO_CURRENT}" >> "$GITHUB_OUTPUT"
           echo "pack_current=${PACK_CURRENT}" >> "$GITHUB_OUTPUT"
@@ -55,6 +59,9 @@ jobs:
           echo "yq_current=${YQ_CURRENT}" >> "$GITHUB_OUTPUT"
 
           UPDATES=""
+          if [ "${RUNNER_CURRENT}" != "${RUNNER_LATEST}" ]; then
+            UPDATES="${UPDATES}- GitHub Actions Runner: ${RUNNER_CURRENT} -> ${RUNNER_LATEST}\n"
+          fi
           if [ "${ARGO_CURRENT}" != "${ARGO_LATEST}" ]; then
             UPDATES="${UPDATES}- Argo Workflows CLI: ${ARGO_CURRENT} -> ${ARGO_LATEST}\n"
           fi
@@ -91,12 +98,14 @@ jobs:
       - name: Update versions in Containerfile and manifest
         if: steps.versions.outputs.has_updates == 'true'
         env:
+          RUNNER_LATEST: ${{ steps.versions.outputs.runner }}
           ARGO_LATEST: ${{ steps.versions.outputs.argo }}
           KARGO_LATEST: ${{ steps.versions.outputs.kargo }}
           PACK_LATEST: ${{ steps.versions.outputs.pack }}
           DIVE_LATEST: ${{ steps.versions.outputs.dive }}
           HADOLINT_LATEST: ${{ steps.versions.outputs.hadolint }}
           YQ_LATEST: ${{ steps.versions.outputs.yq }}
+          RUNNER_CURRENT: ${{ steps.versions.outputs.runner_current }}
           ARGO_CURRENT: ${{ steps.versions.outputs.argo_current }}
           KARGO_CURRENT: ${{ steps.versions.outputs.kargo_current }}
           PACK_CURRENT: ${{ steps.versions.outputs.pack_current }}
@@ -111,6 +120,7 @@ jobs:
             fi
           }
 
+          update_version "RUNNER_VERSION" "${RUNNER_CURRENT}" "${RUNNER_LATEST}"
           update_version "ARGO_VERSION" "${ARGO_CURRENT}" "${ARGO_LATEST}"
           update_version "KARGO_VERSION" "${KARGO_CURRENT}" "${KARGO_LATEST}"
           update_version "PACK_VERSION" "${PACK_CURRENT}" "${PACK_LATEST}"

.pre-commit-config.yaml

@@ -13,7 +13,6 @@ repos:
     rev: v2.12.0
     hooks:
       - id: hadolint-docker
-        entry: hadolint/hadolint hadolint
         args: ["--config", ".hadolint.yaml"]
 
   - repo: https://github.com/shellcheck-py/shellcheck-py

Containerfile

@@ -1,4 +1,4 @@
-ARG RUNNER_VERSION=latest
+ARG RUNNER_VERSION=2.321.0
 
 FROM ghcr.io/actions/runner:${RUNNER_VERSION} as base
 
@@ -25,17 +25,10 @@ RUN apt-get update \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-# Install skopeo
+# Install skopeo and buildah
 # hadolint ignore=DL3008
 RUN apt-get update \
-    && apt-get install --no-install-recommends -y skopeo \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install buildah
-# hadolint ignore=DL3008
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y buildah \
+    && apt-get install --no-install-recommends -y skopeo buildah \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
@@ -102,17 +95,6 @@ RUN curl -sSL -o /tmp/pack.tgz \
 # hadolint ignore=DL3013
 RUN pip install --no-cache-dir pre-commit
 
-# Install Poetry latest version and add it to PATH
-# hadolint ignore=DL4006
-RUN curl -sSL https://install.python-poetry.org | python3 -
-
-# Install UV
-# hadolint ignore=DL4006
-RUN curl -LsSf https://astral.sh/uv/install.sh | sh
-
-# Add Poetry and UV to PATH
-RUN echo "export PATH=\"${APP_HOME}/.local/bin:\$PATH\"" >> ~/.bashrc
-
 FROM base as runtime
 
 LABEL org.opencontainers.image.source=https://github.com/deerhide/python-github-runner

manifest.yaml

@@ -5,7 +5,7 @@ registry: ghcr.io/deerhide/python-github-runner
 build:
   format: oci
   args:
-    - RUNNER_VERSION=latest
+    - RUNNER_VERSION=2.321.0
     - ARGO_VERSION=3.6.4
     - KARGO_VERSION=1.9.2
     - PACK_VERSION=0.36.4