Update tooling dependencies (Feb 2026 cycle)

Pre-commit: trufflehog v3.93.4, ruff v0.15.2, shellcheck v0.11.0.1,
prettier v3.8.1, actionlint v1.7.11

Fly.io: pin nginx 1.28.2-alpine, bump alloy v1.5.1 -> v1.13.1

Forgejo workflows: pin actions/checkout to SHA (v4.3.1)

Mise tasks: normalize httpx>=0.28.0, typer>=0.15.0 across all scripts

Add how-to doc for the monthly tooling dependency update cycle.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/how-to/configuration/update-tooling-dependencies.md

@@ -5,6 +5,8 @@ last-reviewed: 2026-02-23
 tags:
   - how-to
   - configuration
+aliases: []
+id: update-tooling-dependencies
 ---
 
 # Update Tooling Dependencies
@@ -54,9 +56,19 @@ grep -r 'dependencies' mise-tasks/ | grep '# dependencies'
 
 Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.
 
-### 4. Check Forgejo workflow action versions
+### 4. Pin Forgejo workflow action versions
 
-Review `.forgejo/workflows/*.yaml` for `uses:` directives. Currently all workflows use `actions/checkout@v4` which tracks the latest v4.x.
+All `uses:` directives in `.forgejo/workflows/*.yaml` must reference upstream actions by **commit SHA**, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code.
+
+Format: `uses: actions/checkout@<full-sha> # v4.3.1`
+
+The trailing comment documents the human-readable version. To update:
+
+```fish
+git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5
+```
+
+Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files.
 
 ### 5. Commit and create PR