C1: SHA-pin tooling dependencies (2026-04 cycle)

- prek hooks: convert all rev = "vX.Y.Z" to commit SHAs with version comments
- fly/Dockerfile: digest-pin nginx (1.30.0-alpine), tailscale (v1.94.2),
  and alloy (v1.16.0); bump from previous tag pins
- mise-tasks: pin PEP 723 deps with == (rich 15.0.0, typer 0.25.0,
  pyyaml 6.0.3, httpx 0.28.1) — PEP 508 doesn't support hashes inline
- prek additional_dependencies: pin ansible-lint==26.4.0, ansible-core==2.20.5
- taplo-lint: pass --no-schema (upstream catalog format changed and
  taplo v0.9.3 can't parse it; we don't validate against TOML schemas)
- docs/update-tooling-dependencies: document SHA-pin convention,
  digest-pin lookup via docker buildx imagetools, and prek clean before
  re-verifying (cache can grow to several GiB)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/changelog.d/update-tooling-deps-2026-04.infra.md

@@ -0,0 +1 @@
+Monthly tooling dependency refresh: prek hooks (trufflehog, kingfisher, ruff, shfmt, prettier, actionlint, ansible-lint), fly proxy base images (nginx 1.30.0, tailscale v1.94.2, alloy v1.16.0), normalize pyyaml lower bound in mise-tasks.

docs/how-to/configuration/update-tooling-dependencies.md

@@ -28,33 +28,45 @@ Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake
 
 ### 1. Check prek hook versions
 
-For each repo in `prek.toml` with a `rev =` value, check the upstream GitHub releases page for a newer tag. Update each `rev` to the latest release tag. Also check `additional_dependencies` entries for PyPI version bumps.
-
-Verify after updating:
+For each repo in `prek.toml` with a `rev =` value, check the upstream GitHub releases page for a newer tag. Update each `rev` to the **commit SHA** of the latest release with a trailing `# vX.Y.Z` comment (matches the `additional_dependencies` and Forgejo workflow pinning style). Also check `additional_dependencies` entries for PyPI version bumps and pin them with `==`.
 
 ```fish
+git ls-remote --tags https://github.com/<owner>/<repo>.git 'refs/tags/v*' | sort -t/ -k3 -V | tail -5
+```
+
+Clear the prek cache before verifying — it can grow to several GiB (one venv per hook per version) and old cached environments can mask resolution failures or stale catalogs:
+
+```fish
+prek clean
 prek run --all-files
 ```
 
 ### 2. Check Fly.io Dockerfile pins
 
-Review `fly/Dockerfile` for pinned image tags:
+Review `fly/Dockerfile` for pinned image digests. Each `FROM` and `COPY --from=` uses `image@sha256:...` digest pinning with a comment line above documenting the human-readable version.
 
 - **nginx** — check [Docker Hub](https://hub.docker.com/_/nginx) for latest stable alpine tag
 - **grafana/alloy** — check [GitHub releases](https://github.com/grafana/alloy/releases)
-- **tailscale/tailscale** — uses `stable` rolling tag, no action needed
+- **tailscale/tailscale** — pinned to a known-good version. Do not bump to v1.96.5 or later (MagicDNS regression breaks the proxy boot)
+
+To resolve a tag to a digest:
+
+```fish
+docker buildx imagetools inspect docker.io/<image>:<tag>
+# Use the top-level "Digest:" line (multi-arch index) — not the per-platform sub-digest
+```
 
 After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with `fly status -a blumeops-proxy` after deploy.
 
-### 3. Normalize mise task dependency bounds
+### 3. Pin mise task dependencies
 
-Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts:
+Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. All packages are pinned with `==` (PEP 508 doesn't support hashes inline). Check that pinned versions are consistent across all scripts:
 
 ```fish
 grep -r 'dependencies' mise-tasks/ | grep '# dependencies'
 ```
 
-Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.
+For each package in use (`httpx`, `rich`, `typer`, `pyyaml`), pick the latest PyPI version and update every script in lockstep — divergence between scripts is the failure mode this catches. Bump everything together; don't leave one script behind.
 
 ### 4. Pin Forgejo workflow action versions
 

fly/Dockerfile

@@ -1,9 +1,10 @@
-FROM nginx:1.29.6-alpine
+# nginx 1.30.0-alpine
+FROM nginx@sha256:0272e4604ed93c1792f03695a033a6e8546840f86e0de20a884bb17d2c924883
 
-# Copy tailscale binaries from official image
-COPY --from=docker.io/tailscale/tailscale:v1.94.1 \
+# Copy tailscale binaries from official image (v1.94.2)
+COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
     /usr/local/bin/tailscaled /usr/local/bin/tailscaled
-COPY --from=docker.io/tailscale/tailscale:v1.94.1 \
+COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
     /usr/local/bin/tailscale /usr/local/bin/tailscale
 
 RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
@@ -12,8 +13,8 @@ RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
     && apk add --no-cache fail2ban \
     && rm -f /etc/fail2ban/jail.d/alpine-ssh.conf
 
-# Copy Alloy binary from official image (Ubuntu-based, needs libc6-compat)
-COPY --from=docker.io/grafana/alloy:v1.14.1 \
+# Copy Alloy binary from official image (v1.16.0, Ubuntu-based, needs libc6-compat)
+COPY --from=docker.io/grafana/alloy@sha256:6e00cf7c5a692ff5f24844529416ed017d76fce922f8199004e73d5eca46b6b8 \
     /bin/alloy /usr/local/bin/alloy
 
 RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data

mise-tasks/blumeops-tasks

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "rich>=14.0.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0"]
 # ///
 #MISE description="List Blumeops tasks from Todoist sorted by priority"
 """Fetch and display Blumeops tasks from Todoist, sorted by priority.

mise-tasks/branch-cleanup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Delete branches that have been merged into main (local and remote)"
 #MISE alias="bc"

mise-tasks/container-build-and-release

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["typer>=0.24.0", "httpx>=0.28.1"]
+# dependencies = ["typer==0.25.0", "httpx==0.28.1"]
 # ///
 #MISE description="Trigger container build workflows via Forgejo API"
 #USAGE arg "<container>" help="Container name (directory under containers/)"

mise-tasks/container-list

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="List available containers and their recent tags"
 #USAGE arg "[name]" help="Optional container name to filter output"

mise-tasks/container-version-check

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Validate container version consistency across container.py, Dockerfiles, nix derivations, and service-versions.yaml"
 #USAGE flag "--all-files" help="Check all containers, not just changed ones"

mise-tasks/dns-acme-cleanup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Delete orphaned ACME challenge TXT records in eblu.me"
 #USAGE flag "--dry-run" help="List orphans without deleting"

mise-tasks/docs-check-frontmatter

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=14.0.0"]
+# dependencies = ["rich==15.0.0"]
 # ///
 #MISE description="Check that all docs have required frontmatter fields"
 """Validate that all documentation files have required YAML frontmatter.

mise-tasks/docs-check-links

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=14.0.0"]
+# dependencies = ["rich==15.0.0"]
 # ///
 #MISE description="Validate all wiki-links point to existing doc files"
 """Validate that all wiki-links in documentation point to existing files.

mise-tasks/docs-mikado

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["httpx==0.28.1", "pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="View active Mikado dependency chains for C2 changes"
 #USAGE arg "[card]" help="Card stem to show chain for"

mise-tasks/docs-preview

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Build docs with Dagger and serve locally, opening to a specific card"
 #USAGE arg "<card>" help="Card path relative to docs/, e.g. how-to/knowledgebase/review-documentation"

mise-tasks/docs-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Review the most stale documentation card by last-reviewed date"
 #USAGE flag "--limit <limit>" default="15" help="Number of docs to show in the table"

mise-tasks/docs-review-stale

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Report docs by git-last-modified date, highlighting stale ones"
 #USAGE flag "--threshold <threshold>" default="180" help="Days before a doc is considered stale"

mise-tasks/docs-review-tags

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0"]
 # ///
 #MISE description="Print frontmatter tag inventory across all docs"
 """Print every frontmatter tag with usage count and file list.

mise-tasks/mikado-branch-invariant-check

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Validate Mikado Branch Invariant on mikado/* branches"
 #USAGE arg "[commit_msg_file]" help="Commit message file (passed by commit-msg hook)"

mise-tasks/op-backup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Encrypt a 1Password .1pux export and send to indri for borgmatic"
 #USAGE arg "[export_path]" help="Path to .1pux export file (prompted if omitted)"

mise-tasks/pr-comments

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="List unresolved comments on a PR"
 #USAGE arg "<pr_number>" help="Pull request number"

mise-tasks/prune-ringtail-generations

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Prune old NixOS generations on ringtail, preserving rollback safety"
 #MISE alias="prg"

mise-tasks/review-compensating-controls

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Review the most stale compensating control"
 #USAGE flag "--limit <limit>" default="10" help="Number of controls to show in the table"

mise-tasks/review-compliance-reports

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=14.0.0", "typer>=0.24.0", "pyyaml>=6.0"]
+# dependencies = ["rich==15.0.0", "typer==0.25.0", "pyyaml==6.0.3"]
 # ///
 #MISE description="Summarize the latest Prowler and Kingfisher compliance reports from sifaka"
 #USAGE flag "--full" help="Show all unmuted failures, not just new ones"

mise-tasks/runner-logs

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="List recent Forgejo Actions runs or fetch logs for a specific job"
 #USAGE arg "[run_number]" help="Run number to show jobs for (omit to list recent runs)"

mise-tasks/service-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Review the most stale service for version freshness"
 #USAGE flag "--limit <limit>" default="15" help="Number of services to show in the table"

mise-tasks/spork-create

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
 # ///
 #MISE description="Create a spork (floating-branch soft-fork) of a mirrored upstream project"
 #USAGE arg "<repo_name>" help="Repository name in the mirrors/ org on forge (e.g. kingfisher)"

prek.toml

@@ -22,13 +22,13 @@ hooks = [
 # check-yaml with --unsafe (builtin fast path doesn't support --unsafe yet)
 [[repos]]
 repo = "https://github.com/pre-commit/pre-commit-hooks"
-rev = "v6.0.0"
+rev = "3e8a8703264a2f4a69428a0aa4dcb512790b2c8c"        # v6.0.0
 hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
 
 # Secret detection (running both tools in parallel to compare coverage)
 [[repos]]
 repo = "https://github.com/trufflesecurity/trufflehog"
-rev = "v3.94.0"
+rev = "17456f8c7d042d8c82c9a8ca9e937231f9f42e26" # v3.95.2
 hooks = [
   { id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [
     "pre-commit",
@@ -38,7 +38,7 @@ hooks = [
 
 [[repos]]
 repo = "https://github.com/mongodb/kingfisher"
-rev = "v1.91.0"
+rev = "9ddec4ab8b53653d4941e6b3fd4ff602ce91d81b" # v1.97.0
 hooks = [
   { id = "kingfisher", args = [
     "scan",
@@ -56,7 +56,7 @@ hooks = [
 # YAML linting
 [[repos]]
 repo = "https://github.com/adrienverge/yamllint"
-rev = "v1.38.0"
+rev = "cba56bcde1fdd01c1deb3f945e69764c291a6530"               # v1.38.0
 hooks = [{ id = "yamllint", args = ["-c", ".yamllint.yaml"] }]
 
 # Ansible linting
@@ -69,12 +69,12 @@ name = "ansible-lint"
 entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint"
 language = "python"
 files = "^ansible/"
-additional_dependencies = ["ansible-lint>=26.3.0", "ansible-core>=2.18"]
+additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.20.5"]
 
 # Python - ruff for linting and formatting
 [[repos]]
 repo = "https://github.com/astral-sh/ruff-pre-commit"
-rev = "v0.15.7"
+rev = "6fec9b7edb08fd9989088709d864a7826dc74e80"                    # v0.15.12
 hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }]
 
 # Python - ty type checker
@@ -92,30 +92,30 @@ pass_filenames = false
 # Shell scripts - shellcheck and shfmt
 [[repos]]
 repo = "https://github.com/shellcheck-py/shellcheck-py"
-rev = "v0.11.0.1"
+rev = "745eface02aef23e168a8afb6b5737818efbea95"               # v0.11.0.1
 hooks = [{ id = "shellcheck", args = ["--severity=warning"] }]
 
 [[repos]]
 repo = "https://github.com/scop/pre-commit-shfmt"
-rev = "v3.13.0-1"
+rev = "05c1426671b9237fb5e1444dd63aa5731bec0dfb"             # v3.13.1-1
 hooks = [{ id = "shfmt", args = ["-i", "2", "-ci", "-bn"] }]
 
 # TOML - taplo
 [[repos]]
 repo = "https://github.com/ComPWA/taplo-pre-commit"
-rev = "v0.9.3"
-hooks = [{ id = "taplo-format" }, { id = "taplo-lint" }]
+rev = "23eab0f0eedcbedebff420f5fdfb284744adc7b3"                                 # v0.9.3
+hooks = [{ id = "taplo-format" }, { id = "taplo-lint", args = ["--no-schema"] }]
 
 # JSON formatting (prettier for consistent style)
 [[repos]]
 repo = "https://github.com/rbubley/mirrors-prettier"
-rev = "v3.8.1"
+rev = "515f543f5718ebfd6ce22e16708bb32c68ff96e1"                                # v3.8.3
 hooks = [{ id = "prettier", types_or = ["json"], args = ["--tab-width", "2"] }]
 
 # GitHub/Forgejo Actions workflow linting
 [[repos]]
 repo = "https://github.com/rhysd/actionlint"
-rev = "v1.7.11"
+rev = "914e7df21a07ef503a81201c76d2b11c789d3fca" # v1.7.12
 hooks = [
   { id = "actionlint-system", args = [
     "-config-file",