fix(runtime): add unzip + gh to base image

[cbeaulieu-gt]

Summary

PR-A of the two-PR sequence described in issue #194 (#193 was the immediately-prior hotfix that exposed this failure layer).

One file changed: runtime/base/Dockerfile

The Phase 2 base image was missing two binaries that consumer composite actions hard-depend on:

• unzip — added to the existing apt-get install step (alphabetically between jq and the cleanup line). Required by oven-sh/setup-bun@v1, which is invoked during the setup phase of anthropics/claude-code-action@v1 to extract its tarball. Without it the action fails with Unable to locate executable file: unzip before the review body even runs (observed on PR feat(ci): periodic overlay-image-pull smoke test #191 after fix(ci): add packages:read to container-pinned workflows #193 merged).

• gh — added as a separate RUN step using the canonical cli.github.com/packages keyring + sources.list pattern (no deprecated apt-key add). Required by composite actions at 14+ call sites across pr-review/, apply-fix/, lint-failure/, ci-failure/, and tag-claude/ (PR diff fetching, status creation, comment posting, dedup). claude-code-action@v1 also exposes gh subcommands to the AI via --allowedTools.

Both layers are placed before COPY shared/ and npm install -g so they cache independently of manifest content churn.

Overlay Dockerfiles (runtime/overlays/{review,fix,explain}/Dockerfile) are not modified — they all inherit from base, so this single change covers all three overlays.

Local verification output

$ docker run --rm --entrypoint sh claude-runtime-base:test \
    -c 'which unzip && which gh && unzip -v | head -1 && gh --version | head -1'
/usr/bin/unzip
/usr/bin/gh
UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP.
gh version 2.92.0 (2026-04-28)

docker build exited 0. Both binaries verified present in the built image.

Test plan

• STAGE 4-overlay smoke tests pass (CI runtime-build workflow validates rebuilt image)
• actionlint passes (no workflow files changed in this PR)
• After merge, runtime-build on main produces new overlay digests for PR-B

Closing note

This PR uses Refs #194, NOT Closes #194 — issue #194 closes when PR-B lands with the updated digest pins in the 5 container-pinned reusable workflows.

🤖 Generated by Claude Code on behalf of @cbeaulieu-gt

[cbeaulieu-gt]

Note on the review check failure

The failing review check on this PR is a bootstrap artifact, not a real signal — it can be safely ignored when deciding whether to merge.

Why it fails: claude-pr-review.yml uses pull_request_target, which evaluates the workflow against the base ref's container pin — i.e. the digest currently in main, which is still the pre-fix claude-runtime-review@sha256:776980ed.... That old image is the very image this PR exists to replace; it lacks unzip (so oven-sh/setup-bun@v1 fails) and gh (so the composite action's PR-comment / status-creation steps fail). The PR's diff cannot be tested against itself.

The real signal is the rest of the matrix, all green:

• ✅ STAGE 1 — clone + validate
• ✅ STAGE 1c — extract-overlay determinism + matcher fixture replay
• ✅ STAGE 2 — build + push base (the new image with unzip + gh baked in)
• ✅ STAGE 3 — build + push overlays (review, fix, explain)
• ✅ STAGE 3 — collect overlay digests
• ✅ STAGE 4-base — smoke + secret scan
• ✅ STAGE 4-overlay — smoke (review, fix, explain)
• ✅ actionlint, claude-command-router corpus

To restore the review signal for future PRs, the follow-up PR (PR-B for #194) will update the 5 reusable workflows' container: ...@sha256:<digest> pins to the digests produced by the runtime-build run that fires after this PR merges. After PR-B lands, the bootstrap is broken and review works again on subsequent PRs.

🤖 Generated by Claude Code on behalf of @cbeaulieu-gt