Update tooling dependencies (March 2026) (#307)

## Summary

Monthly tooling dependency update per [[update-tooling-dependencies]].

- **Prek hooks:** trufflehog v3.93.4→v3.94.0, ruff v0.15.2→v0.15.7, shfmt v3.12.0-2→v3.13.0-1, ansible-lint floor→26.3.0, ansible-core floor→2.18
- **Fly.io proxy:** nginx 1.28.2→1.29.6, Grafana Alloy v1.13.1→v1.14.1
- **Forgejo workflows:** actions/checkout v4.3.1→v6.0.2 (SHA-pinned across all 5 workflows)
- **Mise tasks:** tightened Python lower bounds — rich≥14.0.0, typer≥0.24.0, httpx≥0.28.1, pyyaml≥6.0.2

## Test plan

- [x] `prek run --all-files` passes
- [ ] Verify Fly.io deploy succeeds after merge (nginx minor bump + Alloy bump)
- [ ] Spot-check a workflow run with the new actions/checkout v6

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #307

.forgejo/workflows/branch-cleanup.yaml

@@ -26,7 +26,7 @@ jobs:
     runs-on: k8s
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run branch cleanup
         env:

.forgejo/workflows/build-blumeops.yaml

@@ -104,7 +104,7 @@ jobs:
           echo "Building BlumeOps release: $VERSION"
 
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 

.forgejo/workflows/build-container.yaml

@@ -28,7 +28,7 @@ jobs:
       nix: ${{ steps.classify.outputs.nix }}
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 2
 
@@ -77,7 +77,7 @@ jobs:
         container: ${{ fromJson(needs.detect.outputs.dockerfile) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.ref || github.sha }}
 
@@ -129,7 +129,7 @@ jobs:
         container: ${{ fromJson(needs.detect.outputs.nix) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.ref || github.sha }}
 

.forgejo/workflows/cv-deploy.yaml

@@ -58,7 +58,7 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Update CV deployment
         run: |

.forgejo/workflows/deploy-fly.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: k8s
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install flyctl
         run: |

docs/changelog.d/update-tooling-deps-2026-03.infra.md

@@ -0,0 +1 @@
+Monthly tooling dependency update: bump prek hooks (trufflehog 3.94.0, ruff 0.15.7, shfmt 3.13.0), Fly.io images (nginx 1.29.6, Alloy 1.14.1), actions/checkout v4.3.1→v6.0.2, tighten mise task Python lower bounds (rich 14, typer 0.24, httpx 0.28.1, pyyaml 6.0.2), and bump ansible-lint/ansible-core floors.

fly/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:1.28.2-alpine
+FROM nginx:1.29.6-alpine
 
 # Copy tailscale binaries from official image
 COPY --from=docker.io/tailscale/tailscale:stable \
@@ -13,7 +13,7 @@ RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
     && rm -f /etc/fail2ban/jail.d/alpine-ssh.conf
 
 # Copy Alloy binary from official image (Ubuntu-based, needs libc6-compat)
-COPY --from=docker.io/grafana/alloy:v1.13.1 \
+COPY --from=docker.io/grafana/alloy:v1.14.1 \
     /bin/alloy /usr/local/bin/alloy
 
 RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data

mise-tasks/blumeops-tasks

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.0", "rich>=13.0.0"]
+# dependencies = ["httpx>=0.28.1", "rich>=14.0.0"]
 # ///
 #MISE description="List Blumeops tasks from Todoist sorted by priority"
 """Fetch and display Blumeops tasks from Todoist, sorted by priority.

mise-tasks/branch-cleanup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Delete branches that have been merged into main (local and remote)"
 #MISE alias="bc"

mise-tasks/container-build-and-release

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["typer>=0.15.0", "httpx>=0.28.0"]
+# dependencies = ["typer>=0.24.0", "httpx>=0.28.1"]
 # ///
 #MISE description="Trigger container build workflows via Forgejo API"
 #USAGE arg "<container>" help="Container name (directory under containers/)"

mise-tasks/container-list

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="List available containers and their recent tags"
 #USAGE arg "[name]" help="Optional container name to filter output"

mise-tasks/container-version-check

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Validate container version consistency across Dockerfiles, nix derivations, and service-versions.yaml"
 #USAGE flag "--all-files" help="Check all containers, not just changed ones"

mise-tasks/docs-check-frontmatter

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=13.0.0"]
+# dependencies = ["rich>=14.0.0"]
 # ///
 #MISE description="Check that all docs have required frontmatter fields"
 """Validate that all documentation files have required YAML frontmatter.

mise-tasks/docs-check-links

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=13.0.0"]
+# dependencies = ["rich>=14.0.0"]
 # ///
 #MISE description="Validate all wiki-links point to existing doc files"
 """Validate that all wiki-links in documentation point to existing files.

mise-tasks/docs-mikado

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.0", "pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["httpx>=0.28.1", "pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="View active Mikado dependency chains for C2 changes"
 #USAGE arg "[card]" help="Card stem to show chain for"

mise-tasks/docs-preview

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Build docs with Dagger and serve locally, opening to a specific card"
 #USAGE arg "<card>" help="Card path relative to docs/, e.g. how-to/knowledgebase/review-documentation"

mise-tasks/docs-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Review the most stale documentation card by last-reviewed date"
 #USAGE flag "--limit <limit>" default="15" help="Number of docs to show in the table"

mise-tasks/docs-review-stale

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Report docs by git-last-modified date, highlighting stale ones"
 #USAGE flag "--threshold <threshold>" default="180" help="Days before a doc is considered stale"

mise-tasks/docs-review-tags

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0", "rich>=13.0.0"]
+# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0"]
 # ///
 #MISE description="Print frontmatter tag inventory across all docs"
 """Print every frontmatter tag with usage count and file list.

mise-tasks/mikado-branch-invariant-check

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Validate Mikado Branch Invariant on mikado/* branches"
 #USAGE arg "[commit_msg_file]" help="Commit message file (passed by commit-msg hook)"

mise-tasks/op-backup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Encrypt a 1Password .1pux export and send to indri for borgmatic"
 #USAGE arg "[export_path]" help="Path to .1pux export file (prompted if omitted)"

mise-tasks/pr-comments

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="List unresolved comments on a PR"
 #USAGE arg "<pr_number>" help="Pull request number"

mise-tasks/runner-logs

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Get logs for a Forgejo Actions workflow run (indri or ringtail runner)"
 #USAGE arg "<runner>" help="Runner filter: indri, ringtail, or all"

mise-tasks/service-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"]
+# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
 # ///
 #MISE description="Review the most stale service for version freshness"
 #USAGE flag "--limit <limit>" default="15" help="Number of services to show in the table"

prek.toml

@@ -28,7 +28,7 @@ hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
 # Secret detection
 [[repos]]
 repo = "https://github.com/trufflesecurity/trufflehog"
-rev = "v3.93.4"
+rev = "v3.94.0"
 hooks = [
   { id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [
     "pre-commit",
@@ -52,12 +52,12 @@ name = "ansible-lint"
 entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint"
 language = "python"
 files = "^ansible/"
-additional_dependencies = ["ansible-lint>=26.1.1", "ansible-core>=2.15"]
+additional_dependencies = ["ansible-lint>=26.3.0", "ansible-core>=2.18"]
 
 # Python - ruff for linting and formatting
 [[repos]]
 repo = "https://github.com/astral-sh/ruff-pre-commit"
-rev = "v0.15.2"
+rev = "v0.15.7"
 hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }]
 
 # Shell scripts - shellcheck and shfmt
@@ -68,7 +68,7 @@ hooks = [{ id = "shellcheck", args = ["--severity=warning"] }]
 
 [[repos]]
 repo = "https://github.com/scop/pre-commit-shfmt"
-rev = "v3.12.0-2"
+rev = "v3.13.0-1"
 hooks = [{ id = "shfmt", args = ["-i", "2", "-ci", "-bn"] }]
 
 # TOML - taplo