eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Update tooling dependencies (Feb 2026 cycle)

Browse source 
Pre-commit: trufflehog v3.93.4, ruff v0.15.2, shellcheck v0.11.0.1,
prettier v3.8.1, actionlint v1.7.11

Fly.io: pin nginx 1.28.2-alpine, bump alloy v1.5.1 -> v1.13.1

Forgejo workflows: pin actions/checkout to SHA (v4.3.1)

Mise tasks: normalize httpx>=0.28.0, typer>=0.15.0 across all scripts

Add how-to doc for the monthly tooling dependency update cycle.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-02-23 12:15:23 -08:00
commit 84d2cdcf14
7 changed files with 22 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.forgejo/workflows/branch-cleanup.yaml
View file

@ -26,7 +26,7 @@ jobs:
runs-on: k8s
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Run branch cleanup
env:

2
.forgejo/workflows/build-blumeops.yaml
View file

@ -104,7 +104,7 @@ jobs:
echo "Building BlumeOps release: $VERSION"
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0

4
.forgejo/workflows/build-container-nix.yaml
View file

@ -26,7 +26,7 @@ jobs:
containers: ${{ steps.list.outputs.containers }}
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 2
@ -52,7 +52,7 @@ jobs:
container: ${{ fromJson(needs.detect.outputs.containers) }}
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Check for default.nix
id: check

4
.forgejo/workflows/build-container.yaml
View file

@ -26,7 +26,7 @@ jobs:
containers: ${{ steps.list.outputs.containers }}
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 2
@ -53,7 +53,7 @@ jobs:
container: ${{ fromJson(needs.detect.outputs.containers) }}
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Check for Dockerfile
id: check

2
.forgejo/workflows/cv-deploy.yaml
View file

@ -58,7 +58,7 @@ jobs:
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Update CV deployment
run: |

2
.forgejo/workflows/deploy-fly.yaml
View file

@ -12,7 +12,7 @@ jobs:
runs-on: k8s
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Install flyctl
run: |

16
docs/how-to/configuration/update-tooling-dependencies.md
View file

@ -5,6 +5,8 @@ last-reviewed: 2026-02-23
tags:
- how-to
- configuration
aliases: []
id: update-tooling-dependencies
---
# Update Tooling Dependencies
@ -54,9 +56,19 @@ grep -r 'dependencies' mise-tasks/ | grep '# dependencies'
Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.
### 4. Check Forgejo workflow action versions
### 4. Pin Forgejo workflow action versions
Review `.forgejo/workflows/*.yaml` for `uses:` directives. Currently all workflows use `actions/checkout@v4` which tracks the latest v4.x.
All `uses:` directives in `.forgejo/workflows/*.yaml` must reference upstream actions by **commit SHA**, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code.
Format: `uses: actions/checkout@<full-sha> # v4.3.1`
The trailing comment documents the human-readable version. To update:
```fish
git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5
```
Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files.
### 5. Commit and create PR