Add mikefarah/yq to ci-tools image

[lex57ukr]

Context

The keystone project uses mikefarah/yq to read and transform YAML metadata at runtime (publish.sh, resolve-reference-mask.sh). The production keystone image already installs it from GitHub releases.

BATS tests that source runtime scripts using yq currently skip in ci-tools due to the missing dependency. They pass locally (make test-scripts local=1) where yq is installed, and the runtime path is covered by container tests, but shell-level unit test coverage is incomplete without it.

Request

Add mikefarah/yq (the standalone Go binary) to the ci-tools image using the existing curl + SHA-256 verification pattern (same as shfmt, actionlint, hadolint).

Not the Debian apt yq package — that is a different tool (Python jq wrapper) with incompatible syntax.

Install pattern

Same as the existing binary tools in the Dockerfile:

ARG YQ_VERSION
ARG YQ_SHA256_AMD64
ARG YQ_SHA256_ARM64
RUN YQ_SHA256=$([ "${TARGETARCH}" = "amd64" ] \
      && echo "${YQ_SHA256_AMD64}" || echo "${YQ_SHA256_ARM64}") \
  && curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_${TARGETARCH}" \
      -o /usr/local/bin/yq \
  && echo "${YQ_SHA256}  /usr/local/bin/yq" | sha256sum -c - \
  && chmod +x /usr/local/bin/yq

With corresponding entries in versions.lock.