eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/configuration/update-tooling-dependencies.md

93 lines
4.3 KiB
Markdown
Raw Normal View History

Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
---
title: Update Tooling Dependencies
modified: 2026-02-23
last-reviewed: 2026-02-23
tags:
- how-to
- configuration
Update tooling dependencies (Feb 2026 cycle) Pre-commit: trufflehog v3.93.4, ruff v0.15.2, shellcheck v0.11.0.1, prettier v3.8.1, actionlint v1.7.11 Fly.io: pin nginx 1.28.2-alpine, bump alloy v1.5.1 -> v1.13.1 Forgejo workflows: pin actions/checkout to SHA (v4.3.1) Mise tasks: normalize httpx>=0.28.0, typer>=0.15.0 across all scripts Add how-to doc for the monthly tooling dependency update cycle. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:15:23 -08:00
aliases: []
id: update-tooling-dependencies
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
---
# Update Tooling Dependencies
Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from [[review-services]], which tracks deployed service versions.
## Scope
| Category | Location | What to check |
|----------|----------|---------------|
Switch git hooks from pre-commit to prek (#276) ## Summary - Replace pre-commit with [prek](https://github.com/j178/prek), a faster Rust-native drop-in alternative - Migrate config from `.pre-commit-config.yaml` (YAML) to `prek.toml` (TOML) - Add new built-in checks: case conflicts, private key detection, executable shebangs - Install prek via mise native registry (`aqua:j178/prek`) instead of pipx - Update all doc references across README, contributing guide, and how-to docs ## Notes - `check-yaml` still uses the remote `pre-commit-hooks` repo because prek's builtin fast path doesn't support `--unsafe` yet (needed for Ansible custom YAML tags) - All existing custom hooks (docs validation, container version check, mikado invariant, workflow validation) work unchanged - Tested: all hooks pass on clean tree, deliberate doc link breakage is caught ## Test plan - [x] `prek run --all-files` passes all checks - [x] Broken wiki-link correctly caught by `docs-check-links` - [x] taplo-format auto-fixes TOML formatting on commit - [x] commit-msg hook (mikado invariant) fires correctly Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/276
2026-03-02 18:15:23 -08:00
| Prek hooks | `prek.toml` | `rev:` tags for all remote repos |
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
| Fly.io proxy | `fly/Dockerfile` | Pinned image tags (nginx, alloy) |
| Mise task scripts | `mise-tasks/*` | Python `# dependencies` lower bounds |
| Forgejo workflows | `.forgejo/workflows/*.yaml` | `uses:` action versions |
Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by [[review-services]] and [[manage-lockfile]].
## Procedure
Switch git hooks from pre-commit to prek (#276) ## Summary - Replace pre-commit with [prek](https://github.com/j178/prek), a faster Rust-native drop-in alternative - Migrate config from `.pre-commit-config.yaml` (YAML) to `prek.toml` (TOML) - Add new built-in checks: case conflicts, private key detection, executable shebangs - Install prek via mise native registry (`aqua:j178/prek`) instead of pipx - Update all doc references across README, contributing guide, and how-to docs ## Notes - `check-yaml` still uses the remote `pre-commit-hooks` repo because prek's builtin fast path doesn't support `--unsafe` yet (needed for Ansible custom YAML tags) - All existing custom hooks (docs validation, container version check, mikado invariant, workflow validation) work unchanged - Tested: all hooks pass on clean tree, deliberate doc link breakage is caught ## Test plan - [x] `prek run --all-files` passes all checks - [x] Broken wiki-link correctly caught by `docs-check-links` - [x] taplo-format auto-fixes TOML formatting on commit - [x] commit-msg hook (mikado invariant) fires correctly Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/276
2026-03-02 18:15:23 -08:00
### 1. Check prek hook versions
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
For each repo in `prek.toml` with a `rev =` value, check the upstream GitHub releases page for a newer tag. Update each `rev` to the **commit SHA** of the latest release with a trailing `# vX.Y.Z` comment (matches the `additional_dependencies` and Forgejo workflow pinning style). Also check `additional_dependencies` entries for PyPI version bumps and pin them with `==`.
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
```fish
git ls-remote --tags https://github.com/<owner>/<repo>.git 'refs/tags/v*' | sort -t/ -k3 -V | tail -5
```
Clear the prek cache before verifying — it can grow to several GiB (one venv per hook per version) and old cached environments can mask resolution failures or stale catalogs:
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
```fish
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
prek clean
Switch git hooks from pre-commit to prek (#276) ## Summary - Replace pre-commit with [prek](https://github.com/j178/prek), a faster Rust-native drop-in alternative - Migrate config from `.pre-commit-config.yaml` (YAML) to `prek.toml` (TOML) - Add new built-in checks: case conflicts, private key detection, executable shebangs - Install prek via mise native registry (`aqua:j178/prek`) instead of pipx - Update all doc references across README, contributing guide, and how-to docs ## Notes - `check-yaml` still uses the remote `pre-commit-hooks` repo because prek's builtin fast path doesn't support `--unsafe` yet (needed for Ansible custom YAML tags) - All existing custom hooks (docs validation, container version check, mikado invariant, workflow validation) work unchanged - Tested: all hooks pass on clean tree, deliberate doc link breakage is caught ## Test plan - [x] `prek run --all-files` passes all checks - [x] Broken wiki-link correctly caught by `docs-check-links` - [x] taplo-format auto-fixes TOML formatting on commit - [x] commit-msg hook (mikado invariant) fires correctly Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/276
2026-03-02 18:15:23 -08:00
prek run --all-files
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
```
### 2. Check Fly.io Dockerfile pins
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
Review `fly/Dockerfile` for pinned image digests. Each `FROM` and `COPY --from=` uses `image@sha256:...` digest pinning with a comment line above documenting the human-readable version.
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
- **nginx** — check [Docker Hub](https://hub.docker.com/_/nginx) for latest stable alpine tag
- **grafana/alloy** — check [GitHub releases](https://github.com/grafana/alloy/releases)
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
- **tailscale/tailscale** — pinned to a known-good version. Do not bump to v1.96.5 or later (MagicDNS regression breaks the proxy boot)
To resolve a tag to a digest:
```fish
docker buildx imagetools inspect docker.io/<image>:<tag>
# Use the top-level "Digest:" line (multi-arch index) — not the per-platform sub-digest
```
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with `fly status -a blumeops-proxy` after deploy.
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
### 3. Pin mise task dependencies
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. All packages are pinned with `==` (PEP 508 doesn't support hashes inline). Check that pinned versions are consistent across all scripts:
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
```fish
grep -r 'dependencies' mise-tasks/ | grep '# dependencies'
```
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) ## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/344
2026-04-30 16:51:43 -07:00
For each package in use (`httpx`, `rich`, `typer`, `pyyaml`), pick the latest PyPI version and update every script in lockstep — divergence between scripts is the failure mode this catches. Bump everything together; don't leave one script behind.
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
Update tooling dependencies (Feb 2026 cycle) Pre-commit: trufflehog v3.93.4, ruff v0.15.2, shellcheck v0.11.0.1, prettier v3.8.1, actionlint v1.7.11 Fly.io: pin nginx 1.28.2-alpine, bump alloy v1.5.1 -> v1.13.1 Forgejo workflows: pin actions/checkout to SHA (v4.3.1) Mise tasks: normalize httpx>=0.28.0, typer>=0.15.0 across all scripts Add how-to doc for the monthly tooling dependency update cycle. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:15:23 -08:00
### 4. Pin Forgejo workflow action versions
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
Update tooling dependencies (Feb 2026 cycle) Pre-commit: trufflehog v3.93.4, ruff v0.15.2, shellcheck v0.11.0.1, prettier v3.8.1, actionlint v1.7.11 Fly.io: pin nginx 1.28.2-alpine, bump alloy v1.5.1 -> v1.13.1 Forgejo workflows: pin actions/checkout to SHA (v4.3.1) Mise tasks: normalize httpx>=0.28.0, typer>=0.15.0 across all scripts Add how-to doc for the monthly tooling dependency update cycle. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:15:23 -08:00
All `uses:` directives in `.forgejo/workflows/*.yaml` must reference upstream actions by **commit SHA**, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code.
Format: `uses: actions/checkout@<full-sha> # v4.3.1`
The trailing comment documents the human-readable version. To update:
```fish
git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5
```
Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files.
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
### 5. Commit and create PR
Create a single PR with all dependency bumps. The changelog fragment type is `infra`.
## Notes
- **Alloy version gaps**: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the [changelog](https://github.com/grafana/alloy/releases) for breaking changes in the Alloy River config syntax.
Switch git hooks from pre-commit to prek (#276) ## Summary - Replace pre-commit with [prek](https://github.com/j178/prek), a faster Rust-native drop-in alternative - Migrate config from `.pre-commit-config.yaml` (YAML) to `prek.toml` (TOML) - Add new built-in checks: case conflicts, private key detection, executable shebangs - Install prek via mise native registry (`aqua:j178/prek`) instead of pipx - Update all doc references across README, contributing guide, and how-to docs ## Notes - `check-yaml` still uses the remote `pre-commit-hooks` repo because prek's builtin fast path doesn't support `--unsafe` yet (needed for Ansible custom YAML tags) - All existing custom hooks (docs validation, container version check, mikado invariant, workflow validation) work unchanged - Tested: all hooks pass on clean tree, deliberate doc link breakage is caught ## Test plan - [x] `prek run --all-files` passes all checks - [x] Broken wiki-link correctly caught by `docs-check-links` - [x] taplo-format auto-fixes TOML formatting on commit - [x] commit-msg hook (mikado invariant) fires correctly Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/276
2026-03-02 18:15:23 -08:00
- **Ruff minor bumps**: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run `prek run ruff --all-files` to check before committing.
Update tooling dependencies (Feb 2026 cycle) (#254) ## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00
- **shellcheck bumps**: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.
Reference in a new issue Copy permalink