feat: auto-resolve upstream tag, drop Podman, clean up Makefile

- Add scripts/resolve-upstream-tag.sh: resolves Python version to
  actions/python-versions source tag via authenticated GitHub API
- Makefile: PYTHON_VERSION 3.14.4→3.14.5, auto-resolve ACTIONS_PYTHON_VERSIONS
- Makefile: drop Podman support (BuildKit --secret requires Docker)
- Makefile: export DOCKER_BUILDKIT=1 once, remove inline duplication
- Makefile: extract DOCKER_SECRET_FLAGS shared variable (24 lines saved)
- Dockerfile: sync default ARGs to 3.14.5-25647354415

Signed-off-by: Adilhusain Shaikh <Adilhusain.Shaikh@ibm.com>

Author: adilhusain-s

Makefile

@@ -9,15 +9,20 @@
 SHELL := /bin/bash
 .SHELLFLAGS := -eu -o pipefail -c
 
+# BuildKit is required for --secret mounts (GitHub token forwarding)
+export DOCKER_BUILDKIT := 1
+
 ifeq ($(origin V), undefined)
   Q := @
 else
   Q :=
 endif
 
 # Versioning
-PYTHON_VERSION          ?= 3.14.4
-ACTIONS_PYTHON_VERSIONS ?= 3.13.3-14344076652
+PYTHON_VERSION          ?= 3.14.5
+# Auto-resolve from upstream releases unless explicitly overridden.
+# To pin a specific tag: make ACTIONS_PYTHON_VERSIONS=3.14.4-25113653268 ...
+ACTIONS_PYTHON_VERSIONS ?= $(shell ./scripts/resolve-upstream-tag.sh $(PYTHON_VERSION))
 POWERSHELL_VERSION      ?= v7.6.1
 POWERSHELL_NATIVE_VERSION ?= v7.4.0
 UBUNTU_VERSION          ?= 24.04
@@ -40,13 +45,18 @@ else
   ARCH := $(ARCH_RAW)
 endif
 
-# Container Engine Detection
-CONTAINER_ENGINE := $(shell command -v podman 2>/dev/null || command -v docker)
+# Container Engine (Docker required — BuildKit needed for secret mounts)
+CONTAINER_ENGINE := $(shell command -v docker)
 
 ifeq ($(strip $(CONTAINER_ENGINE)),)
-  $(error No container runtime found. Please install `docker` or `podman`)
+  $(error Docker is required. BuildKit is needed for --secret mounts.)
 endif
 
+# Secret flags for Docker BuildKit (forwards GITHUB_TOKEN into the build)
+# Empty if GITHUB_TOKEN is not set — the Dockerfile handles missing secrets.
+c := ,
+DOCKER_SECRET_FLAGS = $(if $(GITHUB_TOKEN),--secret id=github_token$cenv=GITHUB_TOKEN,)
+
 # --- Internal Variables -------------------------------------------------------
 
 BASE_IMAGE := powershell:ubuntu-$(UBUNTU_VERSION)
@@ -83,12 +93,8 @@ $(OUTPUT_DIR)/$(HOST_ARTIFACT_NAME): verify-trivy-version verify-trivy-checksums
 	@echo "--- Building Python $(PYTHON_VERSION) Image ($(ARCH)) ---"
 	@echo "    Security Gate: CRIT=$(FAIL_ON_CRITICAL) HIGH=$(FAIL_ON_HIGH)"
 	$(Q)cd python-versions && \
-		secret_flags=""; \
-		if [ -n "$${GITHUB_TOKEN:-}" ]; then \
-			secret_flags="--secret id=github_token,env=GITHUB_TOKEN"; \
-		fi; \
-		DOCKER_BUILDKIT=1 $(CONTAINER_ENGINE) build \
-			$$secret_flags \
+		$(CONTAINER_ENGINE) build \
+			$(DOCKER_SECRET_FLAGS) \
 		--network=host \
 		--build-arg PYTHON_VERSION=$(PYTHON_VERSION) \
 		--build-arg ACTIONS_PYTHON_VERSIONS=$(ACTIONS_PYTHON_VERSIONS) \
@@ -158,12 +164,8 @@ update-trivy-pins:
 powershell: $(PS_PREREQS)
 	@echo "--- Building PowerShell Base Image ---"
 	$(Q)cd $(PS_DIR) && \
-		secret_flags=""; \
-		if [ -n "$${GITHUB_TOKEN:-}" ]; then \
-			secret_flags="--secret id=github_token,env=GITHUB_TOKEN"; \
-		fi; \
 		$(CONTAINER_ENGINE) build \
-			$$secret_flags \
+			$(DOCKER_SECRET_FLAGS) \
 		--network=host \
 		--build-arg POWERSHELL_VERSION=$(POWERSHELL_VERSION) \
 		--build-arg POWERSHELL_NATIVE_VERSION=$(POWERSHELL_NATIVE_VERSION) \

python-versions/Dockerfile

@@ -2,8 +2,8 @@
 ARG UBUNTU_VERSION=24.04
 ARG BASE_IMAGE=powershell:ubuntu-${UBUNTU_VERSION}
 ARG TARGETARCH
-ARG PYTHON_VERSION=3.13.3
-ARG ACTIONS_PYTHON_VERSIONS=3.13.3-14344076652
+ARG PYTHON_VERSION=3.14.5
+ARG ACTIONS_PYTHON_VERSIONS=3.14.5-25647354415
 ARG TRIVY_VERSION=v0.70.0  # default should match .trivyversion in repo root
 
 # ================= BUILDER STAGE =====================

scripts/resolve-upstream-tag.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# ------------------------------------------------------------------------------
+# resolve-upstream-tag.sh
+#
+# Resolves a Python version (e.g., "3.14.5" or "3.15.0-beta.1") to the
+# corresponding source-code tag from the actions/python-versions upstream
+# repository by querying its GitHub releases.
+#
+# Usage:
+#   ./scripts/resolve-upstream-tag.sh <python-version>
+#
+# Examples:
+#   ./scripts/resolve-upstream-tag.sh 3.14.5       # → 3.14.5-25647354415
+#   ./scripts/resolve-upstream-tag.sh 3.15.0-beta.1 # → 3.15.0-beta.1-25533511631
+#
+# Requires: curl, jq, and gh (GitHub CLI). Uses gh's stored token for auth.
+# ------------------------------------------------------------------------------
+set -euo pipefail
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <python-version>" >&2
+  exit 1
+fi
+
+PYTHON_VERSION="$1"
+UPSTREAM_REPO="actions/python-versions"
+
+# Retrieve the GitHub token from gh CLI for authenticated curl requests
+GH_TOKEN="$(gh auth token)"
+
+# Query the upstream releases API and find the release whose name
+# matches the requested Python version exactly.
+TAG_NAME=$(curl -sL -H "Authorization: Bearer $GH_TOKEN" \
+  "https://api.github.com/repos/${UPSTREAM_REPO}/releases" \
+  | jq -r --arg ver "$PYTHON_VERSION" \
+    '[.[] | select(.name == $ver)] | first | .tag_name // empty')
+
+if [ -z "$TAG_NAME" ]; then
+  echo "ERROR: Could not find upstream release matching Python version '$PYTHON_VERSION' in $UPSTREAM_REPO" >&2
+  exit 1
+fi
+
+echo "$TAG_NAME"