diff --git a/docs/changelog.d/update-tooling-deps-2026-04.infra.md b/docs/changelog.d/update-tooling-deps-2026-04.infra.md new file mode 100644 index 0000000..4731eca --- /dev/null +++ b/docs/changelog.d/update-tooling-deps-2026-04.infra.md @@ -0,0 +1 @@ +Monthly tooling dependency refresh: prek hooks (trufflehog, kingfisher, ruff, shfmt, prettier, actionlint, ansible-lint), fly proxy base images (nginx 1.30.0, tailscale v1.94.2, alloy v1.16.0), normalize pyyaml lower bound in mise-tasks. diff --git a/docs/how-to/configuration/update-tooling-dependencies.md b/docs/how-to/configuration/update-tooling-dependencies.md index 8b09e6d..2bfe887 100644 --- a/docs/how-to/configuration/update-tooling-dependencies.md +++ b/docs/how-to/configuration/update-tooling-dependencies.md @@ -28,33 +28,45 @@ Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake ### 1. Check prek hook versions -For each repo in `prek.toml` with a `rev =` value, check the upstream GitHub releases page for a newer tag. Update each `rev` to the latest release tag. Also check `additional_dependencies` entries for PyPI version bumps. - -Verify after updating: +For each repo in `prek.toml` with a `rev =` value, check the upstream GitHub releases page for a newer tag. Update each `rev` to the **commit SHA** of the latest release with a trailing `# vX.Y.Z` comment (matches the `additional_dependencies` and Forgejo workflow pinning style). Also check `additional_dependencies` entries for PyPI version bumps and pin them with `==`. ```fish +git ls-remote --tags https://github.com//.git 'refs/tags/v*' | sort -t/ -k3 -V | tail -5 +``` + +Clear the prek cache before verifying — it can grow to several GiB (one venv per hook per version) and old cached environments can mask resolution failures or stale catalogs: + +```fish +prek clean prek run --all-files ``` ### 2. Check Fly.io Dockerfile pins -Review `fly/Dockerfile` for pinned image tags: +Review `fly/Dockerfile` for pinned image digests. Each `FROM` and `COPY --from=` uses `image@sha256:...` digest pinning with a comment line above documenting the human-readable version. - **nginx** — check [Docker Hub](https://hub.docker.com/_/nginx) for latest stable alpine tag - **grafana/alloy** — check [GitHub releases](https://github.com/grafana/alloy/releases) -- **tailscale/tailscale** — uses `stable` rolling tag, no action needed +- **tailscale/tailscale** — pinned to a known-good version. Do not bump to v1.96.5 or later (MagicDNS regression breaks the proxy boot) + +To resolve a tag to a digest: + +```fish +docker buildx imagetools inspect docker.io/: +# Use the top-level "Digest:" line (multi-arch index) — not the per-platform sub-digest +``` After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with `fly status -a blumeops-proxy` after deploy. -### 3. Normalize mise task dependency bounds +### 3. Pin mise task dependencies -Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts: +Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. All packages are pinned with `==` (PEP 508 doesn't support hashes inline). Check that pinned versions are consistent across all scripts: ```fish grep -r 'dependencies' mise-tasks/ | grep '# dependencies' ``` -Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once. +For each package in use (`httpx`, `rich`, `typer`, `pyyaml`), pick the latest PyPI version and update every script in lockstep — divergence between scripts is the failure mode this catches. Bump everything together; don't leave one script behind. ### 4. Pin Forgejo workflow action versions diff --git a/fly/Dockerfile b/fly/Dockerfile index 8a6df31..eae8c35 100644 --- a/fly/Dockerfile +++ b/fly/Dockerfile @@ -1,9 +1,10 @@ -FROM nginx:1.29.6-alpine +# nginx 1.30.0-alpine +FROM nginx@sha256:0272e4604ed93c1792f03695a033a6e8546840f86e0de20a884bb17d2c924883 -# Copy tailscale binaries from official image -COPY --from=docker.io/tailscale/tailscale:v1.94.1 \ +# Copy tailscale binaries from official image (v1.94.2) +COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \ /usr/local/bin/tailscaled /usr/local/bin/tailscaled -COPY --from=docker.io/tailscale/tailscale:v1.94.1 \ +COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \ /usr/local/bin/tailscale /usr/local/bin/tailscale RUN mkdir -p /var/run/tailscale /var/lib/tailscale \ @@ -12,8 +13,8 @@ RUN mkdir -p /var/run/tailscale /var/lib/tailscale \ && apk add --no-cache fail2ban \ && rm -f /etc/fail2ban/jail.d/alpine-ssh.conf -# Copy Alloy binary from official image (Ubuntu-based, needs libc6-compat) -COPY --from=docker.io/grafana/alloy:v1.14.1 \ +# Copy Alloy binary from official image (v1.16.0, Ubuntu-based, needs libc6-compat) +COPY --from=docker.io/grafana/alloy@sha256:6e00cf7c5a692ff5f24844529416ed017d76fce922f8199004e73d5eca46b6b8 \ /bin/alloy /usr/local/bin/alloy RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data diff --git a/mise-tasks/blumeops-tasks b/mise-tasks/blumeops-tasks index e07e9bf..035aa3b 100755 --- a/mise-tasks/blumeops-tasks +++ b/mise-tasks/blumeops-tasks @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "rich>=14.0.0"] +# dependencies = ["httpx==0.28.1", "rich==15.0.0"] # /// #MISE description="List Blumeops tasks from Todoist sorted by priority" """Fetch and display Blumeops tasks from Todoist, sorted by priority. diff --git a/mise-tasks/branch-cleanup b/mise-tasks/branch-cleanup index bd5ac66..575c9a1 100755 --- a/mise-tasks/branch-cleanup +++ b/mise-tasks/branch-cleanup @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Delete branches that have been merged into main (local and remote)" #MISE alias="bc" diff --git a/mise-tasks/container-build-and-release b/mise-tasks/container-build-and-release index afa970e..ba569e7 100755 --- a/mise-tasks/container-build-and-release +++ b/mise-tasks/container-build-and-release @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["typer>=0.24.0", "httpx>=0.28.1"] +# dependencies = ["typer==0.25.0", "httpx==0.28.1"] # /// #MISE description="Trigger container build workflows via Forgejo API" #USAGE arg "" help="Container name (directory under containers/)" diff --git a/mise-tasks/container-list b/mise-tasks/container-list index b1bd433..26639f2 100755 --- a/mise-tasks/container-list +++ b/mise-tasks/container-list @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="List available containers and their recent tags" #USAGE arg "[name]" help="Optional container name to filter output" diff --git a/mise-tasks/container-version-check b/mise-tasks/container-version-check index 95cf6f0..4ebe3b6 100755 --- a/mise-tasks/container-version-check +++ b/mise-tasks/container-version-check @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Validate container version consistency across container.py, Dockerfiles, nix derivations, and service-versions.yaml" #USAGE flag "--all-files" help="Check all containers, not just changed ones" diff --git a/mise-tasks/dns-acme-cleanup b/mise-tasks/dns-acme-cleanup index 5152ae2..432a6ce 100755 --- a/mise-tasks/dns-acme-cleanup +++ b/mise-tasks/dns-acme-cleanup @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Delete orphaned ACME challenge TXT records in eblu.me" #USAGE flag "--dry-run" help="List orphans without deleting" diff --git a/mise-tasks/docs-check-frontmatter b/mise-tasks/docs-check-frontmatter index 11d1a49..35e1879 100755 --- a/mise-tasks/docs-check-frontmatter +++ b/mise-tasks/docs-check-frontmatter @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=14.0.0"] +# dependencies = ["rich==15.0.0"] # /// #MISE description="Check that all docs have required frontmatter fields" """Validate that all documentation files have required YAML frontmatter. diff --git a/mise-tasks/docs-check-links b/mise-tasks/docs-check-links index 78e871a..9974fc7 100755 --- a/mise-tasks/docs-check-links +++ b/mise-tasks/docs-check-links @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=14.0.0"] +# dependencies = ["rich==15.0.0"] # /// #MISE description="Validate all wiki-links point to existing doc files" """Validate that all wiki-links in documentation point to existing files. diff --git a/mise-tasks/docs-mikado b/mise-tasks/docs-mikado index 0b37f51..eea052f 100755 --- a/mise-tasks/docs-mikado +++ b/mise-tasks/docs-mikado @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["httpx==0.28.1", "pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="View active Mikado dependency chains for C2 changes" #USAGE arg "[card]" help="Card stem to show chain for" diff --git a/mise-tasks/docs-preview b/mise-tasks/docs-preview index f63b1d1..faa79af 100755 --- a/mise-tasks/docs-preview +++ b/mise-tasks/docs-preview @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Build docs with Dagger and serve locally, opening to a specific card" #USAGE arg "" help="Card path relative to docs/, e.g. how-to/knowledgebase/review-documentation" diff --git a/mise-tasks/docs-review b/mise-tasks/docs-review index 49cf4d0..d07904d 100755 --- a/mise-tasks/docs-review +++ b/mise-tasks/docs-review @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Review the most stale documentation card by last-reviewed date" #USAGE flag "--limit " default="15" help="Number of docs to show in the table" diff --git a/mise-tasks/docs-review-stale b/mise-tasks/docs-review-stale index facbf6b..4449213 100755 --- a/mise-tasks/docs-review-stale +++ b/mise-tasks/docs-review-stale @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Report docs by git-last-modified date, highlighting stale ones" #USAGE flag "--threshold " default="180" help="Days before a doc is considered stale" diff --git a/mise-tasks/docs-review-tags b/mise-tasks/docs-review-tags index 0e7f1d4..869e2f2 100755 --- a/mise-tasks/docs-review-tags +++ b/mise-tasks/docs-review-tags @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0"] +# dependencies = ["pyyaml==6.0.3", "rich==15.0.0"] # /// #MISE description="Print frontmatter tag inventory across all docs" """Print every frontmatter tag with usage count and file list. diff --git a/mise-tasks/mikado-branch-invariant-check b/mise-tasks/mikado-branch-invariant-check index ca9f79a..1f0fbcf 100755 --- a/mise-tasks/mikado-branch-invariant-check +++ b/mise-tasks/mikado-branch-invariant-check @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Validate Mikado Branch Invariant on mikado/* branches" #USAGE arg "[commit_msg_file]" help="Commit message file (passed by commit-msg hook)" diff --git a/mise-tasks/op-backup b/mise-tasks/op-backup index 6ffef14..37a97a6 100755 --- a/mise-tasks/op-backup +++ b/mise-tasks/op-backup @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Encrypt a 1Password .1pux export and send to indri for borgmatic" #USAGE arg "[export_path]" help="Path to .1pux export file (prompted if omitted)" diff --git a/mise-tasks/pr-comments b/mise-tasks/pr-comments index a44a430..7205617 100755 --- a/mise-tasks/pr-comments +++ b/mise-tasks/pr-comments @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="List unresolved comments on a PR" #USAGE arg "" help="Pull request number" diff --git a/mise-tasks/prune-ringtail-generations b/mise-tasks/prune-ringtail-generations index 8066f8b..2b8e3f9 100755 --- a/mise-tasks/prune-ringtail-generations +++ b/mise-tasks/prune-ringtail-generations @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Prune old NixOS generations on ringtail, preserving rollback safety" #MISE alias="prg" diff --git a/mise-tasks/review-compensating-controls b/mise-tasks/review-compensating-controls index 09e2d16..e92d302 100755 --- a/mise-tasks/review-compensating-controls +++ b/mise-tasks/review-compensating-controls @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Review the most stale compensating control" #USAGE flag "--limit " default="10" help="Number of controls to show in the table" diff --git a/mise-tasks/review-compliance-reports b/mise-tasks/review-compliance-reports index 72f35cc..bcbe090 100755 --- a/mise-tasks/review-compliance-reports +++ b/mise-tasks/review-compliance-reports @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=14.0.0", "typer>=0.24.0", "pyyaml>=6.0"] +# dependencies = ["rich==15.0.0", "typer==0.25.0", "pyyaml==6.0.3"] # /// #MISE description="Summarize the latest Prowler and Kingfisher compliance reports from sifaka" #USAGE flag "--full" help="Show all unmuted failures, not just new ones" diff --git a/mise-tasks/runner-logs b/mise-tasks/runner-logs index 579a5fd..9c988ee 100755 --- a/mise-tasks/runner-logs +++ b/mise-tasks/runner-logs @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="List recent Forgejo Actions runs or fetch logs for a specific job" #USAGE arg "[run_number]" help="Run number to show jobs for (omit to list recent runs)" diff --git a/mise-tasks/service-review b/mise-tasks/service-review index 01c4ce0..2d50e0b 100755 --- a/mise-tasks/service-review +++ b/mise-tasks/service-review @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Review the most stale service for version freshness" #USAGE flag "--limit " default="15" help="Number of services to show in the table" diff --git a/mise-tasks/spork-create b/mise-tasks/spork-create index 84d2999..92f4e5c 100755 --- a/mise-tasks/spork-create +++ b/mise-tasks/spork-create @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] +# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # /// #MISE description="Create a spork (floating-branch soft-fork) of a mirrored upstream project" #USAGE arg "" help="Repository name in the mirrors/ org on forge (e.g. kingfisher)" diff --git a/prek.toml b/prek.toml index 28776c5..add7799 100644 --- a/prek.toml +++ b/prek.toml @@ -22,13 +22,13 @@ hooks = [ # check-yaml with --unsafe (builtin fast path doesn't support --unsafe yet) [[repos]] repo = "https://github.com/pre-commit/pre-commit-hooks" -rev = "v6.0.0" +rev = "3e8a8703264a2f4a69428a0aa4dcb512790b2c8c" # v6.0.0 hooks = [{ id = "check-yaml", args = ["--unsafe"] }] # Secret detection (running both tools in parallel to compare coverage) [[repos]] repo = "https://github.com/trufflesecurity/trufflehog" -rev = "v3.94.0" +rev = "17456f8c7d042d8c82c9a8ca9e937231f9f42e26" # v3.95.2 hooks = [ { id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [ "pre-commit", @@ -38,7 +38,7 @@ hooks = [ [[repos]] repo = "https://github.com/mongodb/kingfisher" -rev = "v1.91.0" +rev = "9ddec4ab8b53653d4941e6b3fd4ff602ce91d81b" # v1.97.0 hooks = [ { id = "kingfisher", args = [ "scan", @@ -56,7 +56,7 @@ hooks = [ # YAML linting [[repos]] repo = "https://github.com/adrienverge/yamllint" -rev = "v1.38.0" +rev = "cba56bcde1fdd01c1deb3f945e69764c291a6530" # v1.38.0 hooks = [{ id = "yamllint", args = ["-c", ".yamllint.yaml"] }] # Ansible linting @@ -69,12 +69,12 @@ name = "ansible-lint" entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint" language = "python" files = "^ansible/" -additional_dependencies = ["ansible-lint>=26.3.0", "ansible-core>=2.18"] +additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.20.5"] # Python - ruff for linting and formatting [[repos]] repo = "https://github.com/astral-sh/ruff-pre-commit" -rev = "v0.15.7" +rev = "6fec9b7edb08fd9989088709d864a7826dc74e80" # v0.15.12 hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }] # Python - ty type checker @@ -92,30 +92,30 @@ pass_filenames = false # Shell scripts - shellcheck and shfmt [[repos]] repo = "https://github.com/shellcheck-py/shellcheck-py" -rev = "v0.11.0.1" +rev = "745eface02aef23e168a8afb6b5737818efbea95" # v0.11.0.1 hooks = [{ id = "shellcheck", args = ["--severity=warning"] }] [[repos]] repo = "https://github.com/scop/pre-commit-shfmt" -rev = "v3.13.0-1" +rev = "05c1426671b9237fb5e1444dd63aa5731bec0dfb" # v3.13.1-1 hooks = [{ id = "shfmt", args = ["-i", "2", "-ci", "-bn"] }] # TOML - taplo [[repos]] repo = "https://github.com/ComPWA/taplo-pre-commit" -rev = "v0.9.3" -hooks = [{ id = "taplo-format" }, { id = "taplo-lint" }] +rev = "23eab0f0eedcbedebff420f5fdfb284744adc7b3" # v0.9.3 +hooks = [{ id = "taplo-format" }, { id = "taplo-lint", args = ["--no-schema"] }] # JSON formatting (prettier for consistent style) [[repos]] repo = "https://github.com/rbubley/mirrors-prettier" -rev = "v3.8.1" +rev = "515f543f5718ebfd6ce22e16708bb32c68ff96e1" # v3.8.3 hooks = [{ id = "prettier", types_or = ["json"], args = ["--tab-width", "2"] }] # GitHub/Forgejo Actions workflow linting [[repos]] repo = "https://github.com/rhysd/actionlint" -rev = "v1.7.11" +rev = "914e7df21a07ef503a81201c76d2b11c789d3fca" # v1.7.12 hooks = [ { id = "actionlint-system", args = [ "-config-file",