feat: pin tool versions and enable Renovate tracking

Pinned versions for key dynamically-installed tools to enable better
version tracking and changelog visibility:

- Flux v2.7.2
- ORAS v1.3.0
- Carvel ytt v0.52.1
- Carvel imgpkg v0.46.1

Changes:
- Added ARG declarations for tool versions in Dockerfile
- Updated installation commands to use pinned versions
- Configured Renovate regex managers to track and update these versions
- Added version files for runtime inspection (/etc/<tool>-version)
- Updated CLAUDE.md documentation

Benefits:
- Renovate will create PRs with changelogs when tools are updated
- Version changes are now visible in git history
- Reproducible builds with locked versions
- Users can inspect installed versions at runtime

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: tuxpeople

CLAUDE.md

@@ -81,11 +81,14 @@ The container includes 60+ tools across several categories:
 - **Performance**: fio, hdparm, ioping, iozone, speedtest-cli
 - **General utilities**: bash, curl, wget, jq, yq, vim, git, screen, tmux, htop, lsof, rsync
 
-### Dynamic Tool Versions
-Some tools are installed dynamically from their latest releases:
-- **ORAS**: Installed from latest GitHub release with fallback to v1.3.0. Version stored in `/etc/oras-version` for runtime inspection.
-- **Flux**: Installed via official install script
-- **Carvel tools**: Installed via official install script
+### Pinned Tool Versions
+Key tools have pinned versions managed by Renovate:
+- **ORAS**: Version pinned via `ARG ORAS_VERSION` in Dockerfile. Version stored in `/etc/oras-version`
+- **Flux**: Version pinned via `ARG FLUX_VERSION` in Dockerfile. Version stored in `/etc/flux-version`
+- **Carvel ytt**: Version pinned via `ARG CARVEL_YTT_VERSION` in Dockerfile. Version stored in `/etc/ytt-version`
+- **Carvel imgpkg**: Version pinned via `ARG CARVEL_IMGPKG_VERSION` in Dockerfile. Version stored in `/etc/imgpkg-version`
+
+Renovate automatically creates PRs when new versions are released. All version files can be inspected at runtime in `/etc/`.
 
 ## Dockerfile Architecture
 
@@ -125,6 +128,20 @@ When adding tools that are installed from GitHub releases or external sources:
 
 Renovate is configured to automatically update dependencies with automerge enabled for all updates, including patch versions. The configuration ensures fast dependency updates without manual intervention.
 
+### Pinned Tool Updates via Renovate
+
+The following tools are version-pinned in the Dockerfile and automatically updated by Renovate:
+- **Flux CLI** (`fluxcd/flux2`)
+- **ORAS** (`oras-project/oras`)
+- **Carvel ytt** (`carvel-dev/ytt`)
+- **Carvel imgpkg** (`carvel-dev/imgpkg`)
+
+Renovate uses regex managers to detect version updates in the Dockerfile `ARG` statements and creates PRs with changelogs when new versions are released. This provides:
+- Clear visibility of tool version changes in git history
+- Automatic changelog generation from GitHub releases
+- Ability to review and test updates before merging
+- Reproducible builds with locked versions
+
 ## Important Notes
 
 - **Platform Support**: The container builds for `linux/amd64` and `linux/arm64` only. Both PR and release workflows must use identical platform lists.

Dockerfile

@@ -13,6 +13,12 @@ SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 LABEL org.opencontainers.image.authors="Thomas Deutsch <[email protected]>" \
       org.opencontainers.image.description="Debug container with networking and troubleshooting tools"
 
+# Tool versions (managed by Renovate)
+ARG FLUX_VERSION=2.7.2
+ARG CARVEL_YTT_VERSION=0.52.1
+ARG CARVEL_IMGPKG_VERSION=0.46.1
+ARG ORAS_VERSION=1.3.0
+
 COPY scripts/* /scripts/
 COPY requirements.txt /requirements.txt
 
@@ -83,20 +89,22 @@ RUN chmod +x /scripts/* \
   wget \
   which \
   yq \
-  && curl -s https://fluxcd.io/install.sh | bash \
-  && curl -L https://carvel.dev/install.sh | K14SIO_INSTALL_BIN_DIR=/usr/local/bin bash \
-  && rm -f /usr/local/bin/kapp /usr/local/bin/kbld /usr/local/bin/kwt /usr/local/bin/vendir \
   && OS="$(uname -s | tr A-Z a-z)" \
   && ARCH="$(uname -m | sed -e 's/x86_64/amd64/g' -e 's/aarch64/arm64/g')" \
-  && ORAS_VERSION="$(curl -s https://api.github.com/repos/oras-project/oras/releases/latest | grep -o '"tag_name": *"[^"]*"' | grep -o 'v[0-9][^"]*' || echo 'v1.3.0')" \
-  && test -n "${ORAS_VERSION}" || ORAS_VERSION="v1.3.0" \
-  && curl -LO "https://github.com/oras-project/oras/releases/download/${ORAS_VERSION}/oras_${ORAS_VERSION#v}_${OS}_${ARCH}.tar.gz" \
+  && curl -sL "https://github.com/fluxcd/flux2/releases/download/v${FLUX_VERSION}/flux_${FLUX_VERSION}_${OS}_${ARCH}.tar.gz" | tar xz -C /usr/local/bin \
+  && curl -sL "https://github.com/carvel-dev/ytt/releases/download/v${CARVEL_YTT_VERSION}/ytt-${OS}-${ARCH}" -o /usr/local/bin/ytt \
+  && curl -sL "https://github.com/carvel-dev/imgpkg/releases/download/v${CARVEL_IMGPKG_VERSION}/imgpkg-${OS}-${ARCH}" -o /usr/local/bin/imgpkg \
+  && chmod +x /usr/local/bin/ytt /usr/local/bin/imgpkg \
+  && curl -LO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_${OS}_${ARCH}.tar.gz" \
   && mkdir -p oras-install/ \
   && tar -zxf "oras_${ORAS_VERSION#v}_${OS}_${ARCH}.tar.gz" -C oras-install/ \
   && mv oras-install/oras /usr/local/bin/ \
-  && rm -rf "oras_${ORAS_VERSION#v}_${OS}_${ARCH}.tar.gz" oras-install/ \
+  && rm -rf "oras_${ORAS_VERSION}_${OS}_${ARCH}.tar.gz" oras-install/ \
   && oras completion bash > /etc/bash_completion.d/oras \
-  && echo "${ORAS_VERSION}" > /etc/oras-version \
+  && echo "v${ORAS_VERSION}" > /etc/oras-version \
+  && echo "v${FLUX_VERSION}" > /etc/flux-version \
+  && echo "v${CARVEL_YTT_VERSION}" > /etc/ytt-version \
+  && echo "v${CARVEL_IMGPKG_VERSION}" > /etc/imgpkg-version \
   && apk add --no-cache --virtual .build-deps musl-dev python3-dev libffi-dev openssl-dev cargo make \
   && pip install --break-system-packages --no-cache-dir --upgrade pip \
   && pip install --break-system-packages --no-cache-dir --requirement /requirements.txt \
@@ -111,8 +119,11 @@ RUN chmod +x /scripts/* \
 
 WORKDIR /workdir
 
-# Dynamic tool versions are stored in /etc/ for runtime inspection
+# Pinned tool versions are stored in /etc/ for runtime inspection
 # - /etc/oras-version: ORAS CLI version
+# - /etc/flux-version: Flux CLI version
+# - /etc/ytt-version: Carvel ytt version
+# - /etc/imgpkg-version: Carvel imgpkg version
 
 # environment settings
 ENV PS1="\u@debugcontainer($(hostname)):\w\\$ " \

renovate.json

@@ -16,7 +16,45 @@
         "patch"
       ],
       "automerge": true,
-      "automergeType": "pr",
+      "automergeType": "pr"
+    }
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "ARG FLUX_VERSION=(?<currentValue>.*?)\\n"
+      ],
+      "datasourceTemplate": "github-releases",
+      "depNameTemplate": "fluxcd/flux2",
+      "extractVersionTemplate": "^v?(?<version>.*)$"
+    },
+    {
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "ARG CARVEL_YTT_VERSION=(?<currentValue>.*?)\\n"
+      ],
+      "datasourceTemplate": "github-releases",
+      "depNameTemplate": "carvel-dev/ytt",
+      "extractVersionTemplate": "^v?(?<version>.*)$"
+    },
+    {
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "ARG CARVEL_IMGPKG_VERSION=(?<currentValue>.*?)\\n"
+      ],
+      "datasourceTemplate": "github-releases",
+      "depNameTemplate": "carvel-dev/imgpkg",
+      "extractVersionTemplate": "^v?(?<version>.*)$"
+    },
+    {
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "ARG ORAS_VERSION=(?<currentValue>.*?)\\n"
+      ],
+      "datasourceTemplate": "github-releases",
+      "depNameTemplate": "oras-project/oras",
+      "extractVersionTemplate": "^v?(?<version>.*)$"
     }
   ]
 }