feat(runner): add glab CLI, pin all tool versions, add freshness workflow

[jeremyeder]

Summary

• Adds glab (GitLab CLI) to the runner image
• Pins all runner tools with explicit versions via Dockerfile ARGs, replacing unpinned installs
• Adds a weekly CI workflow (runner-tool-versions.yml) that checks every runner component for updates and opens a PR when newer versions are available

What changed

Dockerfile

Component	Before	After
gh (GitHub CLI)	Unpinned (dnf repo)	ARG GH_VERSION=2.74.0 (binary download)
glab (GitLab CLI)	Not installed	ARG GLAB_VERSION=1.52.0 (binary download)
uv	pip install uv (unpinned)	pip install uv==0.7.8
pre-commit	pip install pre-commit (unpinned)	pip install pre-commit==4.2.0
gemini-cli	npm install -g @google/gemini-cli (unpinned)	npm install -g @google/gemini-cli@0.1.17
Base image	Digest-pinned (unchanged)	Same
git, jq, Node.js, Go	dnf/AppStream (unchanged)	Same (tied to base image)

Freshness workflow

• Runs weekly (Monday 9 AM UTC) + manual trigger
• Checks 6 components: base image digest (via skopeo), gh, glab, uv, pre-commit, gemini-cli
• Opens a single PR on auto/update-runner-image with a version table when any component is outdated
• Deduplicates against existing open PRs
• Workflow summary page shows a freshness report for all components
• Follows the same patterns as daily-sdk-update.yml

Test plan

• Runner container image builds successfully with the new Dockerfile
• gh version, glab version, uv --version, gemini --version all work inside the container
• Workflow YAML passes actionlint / GitHub Actions validation
• Manual workflow dispatch runs successfully

---

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: bb2ecaa9-573f-40e3-8111-6151060e3724

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/runner-glab-and-freshness-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jeremyeder]

There was an ask through feedback to add glab to the runner. So I've done that and added a job to keep the runner updated.

[ktdreyer]

I think this is an ok approach.

AIPCC uses Renovate to perform these bumping operations instead. That would be a standard and secure way to do dependency management in contrast to a one-off custom GH Action.

But I don't see a problem with this particular implementation today.

[jeremyeder]

Superseded by #1091 which combines this PR with #845.