From c8c77f0fbaa976fff728c2462d79d1286962fdac Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 18 Jun 2026 21:49:46 -0600
Subject: [PATCH] chore(tfroot-runner): bump toolchain versions

Update pinned tools to their latest stable releases:
- OpenTofu 1.11.6 -> 1.12.3
- SOPS 3.12.2 -> 3.13.1
- terraform-docs 0.22.0 -> 0.24.0
- tfupdate 0.9.3 -> 0.9.4
- hcledit 0.2.17 -> 0.2.18
- tflint 0.62.0 -> 0.63.1
- kubectl 1.36.0 -> 1.36.2
- kustomize 5.8.0 -> 5.8.1
- checkov 3.2.525 -> 3.3.1

Also bump CI hadolint to 2.14.0 to match the repo pre-commit config.
---
 .github/workflows/buildah.yml |  2 +-
 tfroot-runner/Containerfile   | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/buildah.yml b/.github/workflows/buildah.yml
index 6eb8388..c5f6c5a 100644
--- a/.github/workflows/buildah.yml
+++ b/.github/workflows/buildah.yml
@@ -75,7 +75,7 @@ jobs:
           sudo apt-get install -y buildah podman
           mkdir -p $HOME/.local/bin
           curl -sSL -o $HOME/.local/bin/hadolint \
-            https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
+            https://github.com/hadolint/hadolint/releases/download/v2.14.0/hadolint-Linux-x86_64
           chmod +x $HOME/.local/bin/hadolint
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
diff --git a/tfroot-runner/Containerfile b/tfroot-runner/Containerfile
index 5c2b469..f5a2314 100644
--- a/tfroot-runner/Containerfile
+++ b/tfroot-runner/Containerfile
@@ -9,16 +9,16 @@
 ##############################
 # Pinned versions — update here
 ##############################
-ARG OPENTOFU_VERSION=1.11.6
-ARG SOPS_VERSION=3.12.2
-ARG TERRAFORM_DOCS_VERSION=0.22.0
-ARG TFUPDATE_VERSION=0.9.3
-ARG HCLEDIT_VERSION=0.2.17
-ARG TFLINT_VERSION=0.62.0
+ARG OPENTOFU_VERSION=1.12.3
+ARG SOPS_VERSION=3.13.1
+ARG TERRAFORM_DOCS_VERSION=0.24.0
+ARG TFUPDATE_VERSION=0.9.4
+ARG HCLEDIT_VERSION=0.2.18
+ARG TFLINT_VERSION=0.63.1
 ARG INFRACOST_VERSION=0.10.44
-ARG KUBECTL_VERSION=1.36.0
-ARG KUSTOMIZE_VERSION=5.8.0
-ARG CHECKOV_VERSION=3.2.525
+ARG KUBECTL_VERSION=1.36.2
+ARG KUSTOMIZE_VERSION=5.8.1
+ARG CHECKOV_VERSION=3.3.1
 ARG PRECOMMIT_VERSION=4.6.0
 ARG PYTHON_VERSION=3.14