2026-02-24 09:54:58 -08:00
|
|
|
#!/usr/bin/env -S uv run --script
|
|
|
|
|
# /// script
|
|
|
|
|
# requires-python = ">=3.12"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
|
2026-02-24 09:54:58 -08:00
|
|
|
# ///
|
2026-01-24 13:30:26 -08:00
|
|
|
#MISE description="List available containers and their recent tags"
|
2026-02-24 09:54:58 -08:00
|
|
|
#USAGE arg "[name]" help="Optional container name to filter output"
|
|
|
|
|
"""List container images and their recent registry tags.
|
2026-01-24 13:30:26 -08:00
|
|
|
|
2026-02-24 09:54:58 -08:00
|
|
|
Shows build type (dockerfile/nix), registry path, and recent tags from the
|
|
|
|
|
zot registry. Tags are annotated with [main] or [branch] to indicate whether
|
|
|
|
|
the build commit is an ancestor of origin/main.
|
|
|
|
|
|
|
|
|
|
Usage:
|
|
|
|
|
mise run container-list # all containers
|
|
|
|
|
mise run container-list prometheus # single container (more tags shown)
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
import re
|
|
|
|
|
import subprocess
|
|
|
|
|
from pathlib import Path
|
|
|
|
|
|
|
|
|
|
import httpx
|
|
|
|
|
import typer
|
|
|
|
|
from rich.console import Console
|
|
|
|
|
from rich.table import Table
|
|
|
|
|
|
|
|
|
|
REGISTRY = "registry.ops.eblu.me"
|
|
|
|
|
CONTAINER_DIR = Path("containers")
|
|
|
|
|
|
|
|
|
|
console = Console()
|
|
|
|
|
app = typer.Typer(add_completion=False)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def git(*args: str) -> str:
|
|
|
|
|
result = subprocess.run(
|
|
|
|
|
["git", *args], capture_output=True, text=True, check=True
|
|
|
|
|
)
|
|
|
|
|
return result.stdout.strip()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def sha_hint(tag: str) -> str:
|
|
|
|
|
"""Check if the 7-char hex SHA in a tag is on origin/main."""
|
|
|
|
|
match = re.search(r"[0-9a-f]{7}", tag)
|
|
|
|
|
if not match:
|
|
|
|
|
return ""
|
|
|
|
|
sha = match.group()
|
|
|
|
|
try:
|
|
|
|
|
full_sha = git("rev-parse", "--verify", sha)
|
|
|
|
|
except subprocess.CalledProcessError:
|
|
|
|
|
return "[dim]\\[unknown][/dim]"
|
|
|
|
|
try:
|
|
|
|
|
git("merge-base", "--is-ancestor", full_sha, "origin/main")
|
|
|
|
|
return "[green]\\[main][/green]"
|
|
|
|
|
except subprocess.CalledProcessError:
|
|
|
|
|
return "[yellow]\\[branch][/yellow]"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_tags(image: str) -> list[str]:
|
|
|
|
|
"""Query zot registry for version tags."""
|
|
|
|
|
try:
|
|
|
|
|
resp = httpx.get(
|
|
|
|
|
f"https://{REGISTRY}/v2/{image}/tags/list", timeout=10
|
|
|
|
|
)
|
|
|
|
|
resp.raise_for_status()
|
|
|
|
|
tags = resp.json().get("tags", [])
|
|
|
|
|
return sorted(
|
|
|
|
|
[t for t in tags if re.match(r"^v[0-9]", t)],
|
|
|
|
|
key=lambda t: t,
|
|
|
|
|
)
|
|
|
|
|
except (httpx.HTTPError, ValueError):
|
|
|
|
|
return []
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def discover_containers() -> list[dict]:
|
|
|
|
|
"""Find container directories with build files."""
|
|
|
|
|
containers = []
|
|
|
|
|
for d in sorted(CONTAINER_DIR.iterdir()):
|
|
|
|
|
if not d.is_dir():
|
|
|
|
|
continue
|
2026-04-11 17:11:56 -07:00
|
|
|
has_container_py = (d / "container.py").exists()
|
2026-02-24 09:54:58 -08:00
|
|
|
has_dockerfile = (d / "Dockerfile").exists()
|
|
|
|
|
has_nix = (d / "default.nix").exists()
|
2026-04-11 17:11:56 -07:00
|
|
|
if not has_container_py and not has_dockerfile and not has_nix:
|
2026-02-24 09:54:58 -08:00
|
|
|
continue
|
|
|
|
|
types = []
|
2026-04-11 17:11:56 -07:00
|
|
|
if has_container_py:
|
|
|
|
|
types.append("dagger")
|
2026-02-24 09:54:58 -08:00
|
|
|
if has_dockerfile:
|
|
|
|
|
types.append("dockerfile")
|
|
|
|
|
if has_nix:
|
|
|
|
|
types.append("nix")
|
|
|
|
|
containers.append({
|
|
|
|
|
"name": d.name,
|
|
|
|
|
"types": types,
|
|
|
|
|
"path": str(d),
|
|
|
|
|
})
|
|
|
|
|
return containers
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@app.command()
|
|
|
|
|
def main(
|
|
|
|
|
name: str = typer.Argument("", help="Container name to filter (optional)"),
|
|
|
|
|
) -> None:
|
|
|
|
|
"""List available containers and their recent tags."""
|
|
|
|
|
containers = discover_containers()
|
|
|
|
|
|
|
|
|
|
if name:
|
|
|
|
|
containers = [c for c in containers if c["name"] == name]
|
|
|
|
|
if not containers:
|
|
|
|
|
console.print(f"[red]No container found matching '{name}'.[/red]")
|
|
|
|
|
console.print("Run without arguments to see all containers.")
|
|
|
|
|
raise typer.Exit(1)
|
|
|
|
|
|
|
|
|
|
tag_count = 10 if name else 4
|
|
|
|
|
|
|
|
|
|
for c in containers:
|
|
|
|
|
image = f"blumeops/{c['name']}"
|
|
|
|
|
label = "+".join(c["types"])
|
|
|
|
|
tags = get_tags(image)
|
|
|
|
|
recent = tags[-tag_count:] if tags else []
|
|
|
|
|
|
|
|
|
|
console.print(f"[bold]\\[{label}] {c['name']}[/bold]")
|
|
|
|
|
console.print(f" Image: {REGISTRY}/{image}")
|
|
|
|
|
console.print(f" Path: {c['path']}")
|
|
|
|
|
|
|
|
|
|
if recent:
|
|
|
|
|
console.print(" Recent tags:")
|
|
|
|
|
for tag in recent:
|
|
|
|
|
hint = sha_hint(tag)
|
|
|
|
|
console.print(f" - {tag} {hint}")
|
|
|
|
|
else:
|
|
|
|
|
console.print(" Recent tags: [dim](none)[/dim]")
|
|
|
|
|
console.print()
|
|
|
|
|
|
|
|
|
|
console.print("[dim]---[/dim]")
|
|
|
|
|
console.print(
|
|
|
|
|
"Tags marked [green]\\[main][/green] were built from a commit on main."
|
|
|
|
|
)
|
|
|
|
|
console.print(
|
|
|
|
|
"Tags marked [yellow]\\[branch][/yellow] were built from a PR branch — "
|
|
|
|
|
"use \\[main] tags in production manifests."
|
|
|
|
|
)
|
|
|
|
|
console.print()
|
|
|
|
|
console.print("To trigger a build:")
|
|
|
|
|
console.print(" mise run container-build-and-release <container>")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
app()
|