2026-03-02 18:15:23 -08:00
|
|
|
# prek.toml - Git hooks configuration
|
|
|
|
|
# Run: prek run --all-files
|
|
|
|
|
# Install: prek install && prek install --hook-type commit-msg
|
|
|
|
|
|
|
|
|
|
# Built-in hooks (fast, Rust-native — no external dependencies)
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "builtin"
|
|
|
|
|
hooks = [
|
|
|
|
|
{ id = "trailing-whitespace" },
|
|
|
|
|
{ id = "end-of-file-fixer" },
|
|
|
|
|
{ id = "check-added-large-files", args = [
|
|
|
|
|
"--maxkb=1000",
|
|
|
|
|
] },
|
|
|
|
|
{ id = "check-merge-conflict" },
|
|
|
|
|
{ id = "check-json" },
|
|
|
|
|
{ id = "check-toml" },
|
|
|
|
|
{ id = "check-case-conflict" },
|
|
|
|
|
{ id = "detect-private-key" },
|
|
|
|
|
{ id = "check-executables-have-shebangs" },
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
# check-yaml with --unsafe (builtin fast path doesn't support --unsafe yet)
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/pre-commit/pre-commit-hooks"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "3e8a8703264a2f4a69428a0aa4dcb512790b2c8c" # v6.0.0
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
|
|
|
|
|
|
2026-03-28 21:06:16 -07:00
|
|
|
# Secret detection (running both tools in parallel to compare coverage)
|
2026-03-02 18:15:23 -08:00
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/trufflesecurity/trufflehog"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "17456f8c7d042d8c82c9a8ca9e937231f9f42e26" # v3.95.2
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [
|
|
|
|
|
{ id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [
|
|
|
|
|
"pre-commit",
|
|
|
|
|
"pre-push",
|
|
|
|
|
] },
|
|
|
|
|
]
|
|
|
|
|
|
2026-03-28 21:06:16 -07:00
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/mongodb/kingfisher"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "9ddec4ab8b53653d4941e6b3fd4ff602ce91d81b" # v1.97.0
|
2026-03-28 21:06:16 -07:00
|
|
|
hooks = [
|
|
|
|
|
{ id = "kingfisher", args = [
|
|
|
|
|
"scan",
|
|
|
|
|
".",
|
|
|
|
|
"--staged",
|
|
|
|
|
"--quiet",
|
|
|
|
|
"--no-update-check",
|
|
|
|
|
"--no-validate",
|
|
|
|
|
], stages = [
|
|
|
|
|
"pre-commit",
|
|
|
|
|
"pre-push",
|
|
|
|
|
] },
|
|
|
|
|
]
|
|
|
|
|
|
2026-03-02 18:15:23 -08:00
|
|
|
# YAML linting
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/adrienverge/yamllint"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "cba56bcde1fdd01c1deb3f945e69764c291a6530" # v1.38.0
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [{ id = "yamllint", args = ["-c", ".yamllint.yaml"] }]
|
|
|
|
|
|
|
|
|
|
# Ansible linting
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "local"
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "ansible-lint"
|
|
|
|
|
name = "ansible-lint"
|
|
|
|
|
entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint"
|
|
|
|
|
language = "python"
|
|
|
|
|
files = "^ansible/"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.20.5"]
|
2026-03-02 18:15:23 -08:00
|
|
|
|
|
|
|
|
# Python - ruff for linting and formatting
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/astral-sh/ruff-pre-commit"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "6fec9b7edb08fd9989088709d864a7826dc74e80" # v0.15.12
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }]
|
|
|
|
|
|
2026-04-12 08:54:32 -07:00
|
|
|
# Python - ty type checker
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "local"
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "ty-check"
|
|
|
|
|
name = "ty type check"
|
|
|
|
|
entry = "ty check"
|
|
|
|
|
language = "system"
|
|
|
|
|
types = ["python"]
|
|
|
|
|
pass_filenames = false
|
|
|
|
|
|
2026-03-02 18:15:23 -08:00
|
|
|
# Shell scripts - shellcheck and shfmt
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/shellcheck-py/shellcheck-py"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "745eface02aef23e168a8afb6b5737818efbea95" # v0.11.0.1
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [{ id = "shellcheck", args = ["--severity=warning"] }]
|
|
|
|
|
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/scop/pre-commit-shfmt"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "05c1426671b9237fb5e1444dd63aa5731bec0dfb" # v3.13.1-1
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [{ id = "shfmt", args = ["-i", "2", "-ci", "-bn"] }]
|
|
|
|
|
|
|
|
|
|
# TOML - taplo
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/ComPWA/taplo-pre-commit"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "23eab0f0eedcbedebff420f5fdfb284744adc7b3" # v0.9.3
|
|
|
|
|
hooks = [{ id = "taplo-format" }, { id = "taplo-lint", args = ["--no-schema"] }]
|
2026-03-02 18:15:23 -08:00
|
|
|
|
|
|
|
|
# JSON formatting (prettier for consistent style)
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/rbubley/mirrors-prettier"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "515f543f5718ebfd6ce22e16708bb32c68ff96e1" # v3.8.3
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [{ id = "prettier", types_or = ["json"], args = ["--tab-width", "2"] }]
|
|
|
|
|
|
|
|
|
|
# GitHub/Forgejo Actions workflow linting
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "https://github.com/rhysd/actionlint"
|
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
## Summary
Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.
## Changes
- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).
Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.
## Test plan
- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
|
|
|
rev = "914e7df21a07ef503a81201c76d2b11c789d3fca" # v1.7.12
|
2026-03-02 18:15:23 -08:00
|
|
|
hooks = [
|
|
|
|
|
{ id = "actionlint-system", args = [
|
|
|
|
|
"-config-file",
|
|
|
|
|
".github/actionlint.yaml",
|
|
|
|
|
], files = '\.forgejo/workflows/' },
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
# Custom local hooks
|
|
|
|
|
|
|
|
|
|
# Forgejo workflow schema validation (via Dagger + forgejo-runner validate)
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "local"
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "validate-workflows"
|
|
|
|
|
name = "validate-workflows"
|
|
|
|
|
entry = "mise run validate-workflows"
|
|
|
|
|
language = "system"
|
|
|
|
|
files = '\.forgejo/workflows/'
|
|
|
|
|
pass_filenames = false
|
|
|
|
|
|
|
|
|
|
# Container version consistency
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "local"
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "container-version-check"
|
|
|
|
|
name = "container-version-check"
|
|
|
|
|
entry = "mise run container-version-check"
|
|
|
|
|
language = "system"
|
|
|
|
|
files = "^(containers/|service-versions\\.yaml)"
|
|
|
|
|
pass_filenames = false
|
|
|
|
|
|
2026-03-03 10:49:01 -08:00
|
|
|
# Changelog fragment validation (no subdirectories)
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "local"
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "changelog-check"
|
|
|
|
|
name = "changelog-check"
|
|
|
|
|
entry = "mise run changelog-check"
|
|
|
|
|
language = "system"
|
|
|
|
|
files = '^docs/changelog\.d/'
|
|
|
|
|
pass_filenames = false
|
|
|
|
|
|
2026-03-02 18:15:23 -08:00
|
|
|
# Mikado Branch Invariant (C2 changes)
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "local"
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "mikado-branch-invariant-check"
|
|
|
|
|
name = "mikado-branch-invariant-check"
|
|
|
|
|
entry = "mise run mikado-branch-invariant-check"
|
|
|
|
|
language = "system"
|
|
|
|
|
always_run = true
|
|
|
|
|
stages = ["commit-msg"]
|
|
|
|
|
|
|
|
|
|
# Documentation validation
|
|
|
|
|
[[repos]]
|
|
|
|
|
repo = "local"
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "docs-check-links"
|
|
|
|
|
name = "docs-check-links"
|
|
|
|
|
entry = "mise run docs-check-links"
|
|
|
|
|
language = "system"
|
|
|
|
|
files = '^docs/.*\.md$'
|
|
|
|
|
pass_filenames = false
|
|
|
|
|
|
|
|
|
|
[[repos.hooks]]
|
|
|
|
|
id = "docs-check-frontmatter"
|
|
|
|
|
name = "docs-check-frontmatter"
|
|
|
|
|
entry = "mise run docs-check-frontmatter"
|
|
|
|
|
language = "system"
|
|
|
|
|
files = '^docs/.*\.md$'
|
|
|
|
|
pass_filenames = false
|