From 84d2cdcf146ad186a2e030b06e4d4d86dc935bed Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Mon, 23 Feb 2026 12:15:23 -0800 Subject: [PATCH] Update tooling dependencies (Feb 2026 cycle) Pre-commit: trufflehog v3.93.4, ruff v0.15.2, shellcheck v0.11.0.1, prettier v3.8.1, actionlint v1.7.11 Fly.io: pin nginx 1.28.2-alpine, bump alloy v1.5.1 -> v1.13.1 Forgejo workflows: pin actions/checkout to SHA (v4.3.1) Mise tasks: normalize httpx>=0.28.0, typer>=0.15.0 across all scripts Add how-to doc for the monthly tooling dependency update cycle. Co-Authored-By: Claude Opus 4.6 --- .forgejo/workflows/branch-cleanup.yaml | 2 +- .forgejo/workflows/build-blumeops.yaml | 2 +- .forgejo/workflows/build-container-nix.yaml | 4 ++-- .forgejo/workflows/build-container.yaml | 4 ++-- .forgejo/workflows/cv-deploy.yaml | 2 +- .forgejo/workflows/deploy-fly.yaml | 2 +- .../configuration/update-tooling-dependencies.md | 16 ++++++++++++++-- 7 files changed, 22 insertions(+), 10 deletions(-) diff --git a/.forgejo/workflows/branch-cleanup.yaml b/.forgejo/workflows/branch-cleanup.yaml index cb509b3..61307ea 100644 --- a/.forgejo/workflows/branch-cleanup.yaml +++ b/.forgejo/workflows/branch-cleanup.yaml @@ -26,7 +26,7 @@ jobs: runs-on: k8s steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run branch cleanup env: diff --git a/.forgejo/workflows/build-blumeops.yaml b/.forgejo/workflows/build-blumeops.yaml index e771033..616d2cf 100644 --- a/.forgejo/workflows/build-blumeops.yaml +++ b/.forgejo/workflows/build-blumeops.yaml @@ -104,7 +104,7 @@ jobs: echo "Building BlumeOps release: $VERSION" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 diff --git a/.forgejo/workflows/build-container-nix.yaml b/.forgejo/workflows/build-container-nix.yaml index d68729f..d3ef2bf 100644 --- a/.forgejo/workflows/build-container-nix.yaml +++ b/.forgejo/workflows/build-container-nix.yaml @@ -26,7 +26,7 @@ jobs: containers: ${{ steps.list.outputs.containers }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 @@ -52,7 +52,7 @@ jobs: container: ${{ fromJson(needs.detect.outputs.containers) }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check for default.nix id: check diff --git a/.forgejo/workflows/build-container.yaml b/.forgejo/workflows/build-container.yaml index c589f67..0fdbaba 100644 --- a/.forgejo/workflows/build-container.yaml +++ b/.forgejo/workflows/build-container.yaml @@ -26,7 +26,7 @@ jobs: containers: ${{ steps.list.outputs.containers }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 @@ -53,7 +53,7 @@ jobs: container: ${{ fromJson(needs.detect.outputs.containers) }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check for Dockerfile id: check diff --git a/.forgejo/workflows/cv-deploy.yaml b/.forgejo/workflows/cv-deploy.yaml index d2314c9..4aec393 100644 --- a/.forgejo/workflows/cv-deploy.yaml +++ b/.forgejo/workflows/cv-deploy.yaml @@ -58,7 +58,7 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Update CV deployment run: | diff --git a/.forgejo/workflows/deploy-fly.yaml b/.forgejo/workflows/deploy-fly.yaml index a38e845..0a63345 100644 --- a/.forgejo/workflows/deploy-fly.yaml +++ b/.forgejo/workflows/deploy-fly.yaml @@ -12,7 +12,7 @@ jobs: runs-on: k8s steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install flyctl run: | diff --git a/docs/how-to/configuration/update-tooling-dependencies.md b/docs/how-to/configuration/update-tooling-dependencies.md index 0a5b4bf..6468348 100644 --- a/docs/how-to/configuration/update-tooling-dependencies.md +++ b/docs/how-to/configuration/update-tooling-dependencies.md @@ -5,6 +5,8 @@ last-reviewed: 2026-02-23 tags: - how-to - configuration +aliases: [] +id: update-tooling-dependencies --- # Update Tooling Dependencies @@ -54,9 +56,19 @@ grep -r 'dependencies' mise-tasks/ | grep '# dependencies' Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once. -### 4. Check Forgejo workflow action versions +### 4. Pin Forgejo workflow action versions -Review `.forgejo/workflows/*.yaml` for `uses:` directives. Currently all workflows use `actions/checkout@v4` which tracks the latest v4.x. +All `uses:` directives in `.forgejo/workflows/*.yaml` must reference upstream actions by **commit SHA**, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code. + +Format: `uses: actions/checkout@ # v4.3.1` + +The trailing comment documents the human-readable version. To update: + +```fish +git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5 +``` + +Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files. ### 5. Commit and create PR