WIP - Feature Improve Build Determinism, Major Dependency Updates and Security Patches

[austindimmer]

Summary

Upgrade the terrarium dev container to an EL9 base and enforce deterministic builds. Python is managed with pyenv + uv (with pyproject.toml and uv.lock), Ruby and Bundler are pinned and installed in frozen mode, and we’ve expanded Bats tests to guard core tooling (Python, Azure/AWS/Terraform, infra utils).

Core tools versions are also updated to get latest features and security patches etc.

What changed

Base image: Move to the Enterprise Linux 9 family (UBI/RHEL/Rocky/Alma). Bats now asserts EL9 rather than Rocky 8.


Python: Add .python-version (3.12); install pyenv; adopt uv and lockfile (uv.lock) with pyproject.toml; drop legacy python_requirements. Tests verify Python version, uv, and pyenv.


Ruby: Pin Ruby 3.4.1 and Bundler 2.7.1; run Bundler frozen; Gemfile.lock updated (incl. k8s-ruby/train-kubernetes).


CLIs & tools: Install Azure CLI via the Microsoft RHEL9 repo; keep AWS CLI v2; Terraform via tenv; add tests for terraform-config-inspect and xorriso.


Automation: Expand Dependabot to Docker, pip (lockfile‑only), Bundler, and Actions; update .gitignore.

Why

Deterministic builds reduce “works on my machine” issues and improve supply‑chain security. Pinning interpreters and dependencies (Python & Ruby) plus test coverage ensures the container remains reproducible as upstream repos evolve.

There were a large amount of critical and high security vulnerabilities detected in the trivvy security scan actions pipeline. This PR will hopefully significantly improve the security posture of the resultant Terrarium container.