chore(deps): sync patched tool version pins

Align Containerfile defaults, local install tooling, and pre-commit hadolint to
current patched versions to reduce recurring Trivy findings and keep docs in sync.

Made-with: Cursor

Author: miragecentury

.pre-commit-config.yaml

@@ -10,7 +10,7 @@ repos:
       - id: detect-private-key
 
   - repo: https://github.com/hadolint/hadolint
-    rev: v2.12.0
+    rev: v2.14.0
     hooks:
       - id: hadolint-docker
         args: ["--config", ".hadolint.yaml"]

CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Changed
 
+* **deps:** sync Containerfile defaults and local tooling pins to patched versions (argo 4.0.4, kargo 1.9.6, pack 0.40.2, dive 0.13.1, hadolint 2.14.0, yq 4.53.2)
+
 ### Fixed
 
 ## [1.0.8](https://github.com/DeerHide/python-github-runner/compare/v1.0.7...v1.0.8) (2026-04-17)

Containerfile

@@ -47,7 +47,7 @@ RUN curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key \
     && rm -rf /var/lib/apt/lists/*
 
 # Install dive (container filesystem analysis)
-ARG DIVE_VERSION=0.12.0
+ARG DIVE_VERSION=0.13.1
 # hadolint ignore=DL3008
 RUN curl -sSL -o /tmp/dive.deb \
       "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb" \
@@ -58,33 +58,33 @@ RUN curl -sSL -o /tmp/dive.deb \
     && rm -rf /var/lib/apt/lists/*
 
 # Install hadolint (Dockerfile/Containerfile linter)
-ARG HADOLINT_VERSION=2.12.0
+ARG HADOLINT_VERSION=2.14.0
 RUN curl -sSL -o /usr/local/bin/hadolint \
       "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" \
     && chmod +x /usr/local/bin/hadolint
 
 # Install yq (YAML processor)
-ARG YQ_VERSION=4.45.4
+ARG YQ_VERSION=4.53.2
 RUN curl -sSL -o /usr/local/bin/yq \
       "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" \
     && chmod +x /usr/local/bin/yq
 
 # Install Argo Workflows CLI
-ARG ARGO_VERSION=3.6.4
+ARG ARGO_VERSION=4.0.4
 RUN curl -sSL -o /tmp/argo-linux-amd64.gz \
       "https://github.com/argoproj/argo-workflows/releases/download/v${ARGO_VERSION}/argo-linux-amd64.gz" \
     && gunzip /tmp/argo-linux-amd64.gz \
     && mv /tmp/argo-linux-amd64 /usr/local/bin/argo \
     && chmod +x /usr/local/bin/argo
 
 # Install Kargo CLI
-ARG KARGO_VERSION=1.9.2
+ARG KARGO_VERSION=1.9.6
 RUN curl -sSL -o /usr/local/bin/kargo \
       "https://github.com/akuity/kargo/releases/download/v${KARGO_VERSION}/kargo-linux-amd64" \
     && chmod +x /usr/local/bin/kargo
 
 # Install pack (Cloud Native Buildpacks CLI)
-ARG PACK_VERSION=0.36.4
+ARG PACK_VERSION=0.40.2
 RUN curl -sSL -o /tmp/pack.tgz \
       "https://github.com/buildpacks/pack/releases/download/v${PACK_VERSION}/pack-v${PACK_VERSION}-linux.tgz" \
     && tar -xzf /tmp/pack.tgz -C /usr/local/bin/ \

README.md

@@ -101,13 +101,13 @@ registry: ghcr.io/deerhide/python-github-runner
 build:
   format: oci
   args:
-    - RUNNER_VERSION=2.332.0
-    - ARGO_VERSION=3.6.4
-    - KARGO_VERSION=1.9.2
-    - PACK_VERSION=0.36.4
-    - DIVE_VERSION=0.12.0
-    - HADOLINT_VERSION=2.12.0
-    - YQ_VERSION=4.45.4
+    - RUNNER_VERSION=2.333.1
+    - ARGO_VERSION=4.0.4
+    - KARGO_VERSION=1.9.6
+    - PACK_VERSION=0.40.2
+    - DIVE_VERSION=0.13.1
+    - HADOLINT_VERSION=2.14.0
+    - YQ_VERSION=4.53.2
   labels:
     - org.opencontainers.image.source=https://github.com/deerhide/python-github-runner
     - org.opencontainers.image.description="Python GitHub Runner"

scripts/install_tools.sh

@@ -28,7 +28,7 @@ sudo apt-get install trivy -y
 sudo apt-get install buildah -y
 
 # Install yq
-VERSION="v4.45.4"
+VERSION="v4.53.2"
 BINARY="yq_linux_amd64"
 wget https://github.com/mikefarah/yq/releases/download/${VERSION}/${BINARY}.tar.gz -O - |\
   tar xz && sudo mv ${BINARY} /usr/local/bin/yq