Recurring maintenance batch (2026-05-27) (#360)

Bundle of recurring overdue tasks:

- Ringtail flake update
- Security & compliance report review
- Tooling deps bump (prek, fly, mise, forgejo workflows)
- Top stale doc review
- Top stale service review (if trivial)

Larger items (service version bumps requiring upgrades, non-local container migration) split out as separate PRs.

Reviewed-on: #360

prek.toml

@@ -28,7 +28,7 @@ hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
 # Secret detection (running both tools in parallel to compare coverage)
 [[repos]]
 repo = "https://github.com/trufflesecurity/trufflehog"
-rev = "17456f8c7d042d8c82c9a8ca9e937231f9f42e26" # v3.95.2
+rev = "37b77001d0174ebec2fcca2bd83ff83a6d45a3ab" # v3.95.3
 hooks = [
   { id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [
     "pre-commit",
@@ -38,7 +38,7 @@ hooks = [
 
 [[repos]]
 repo = "https://github.com/mongodb/kingfisher"
-rev = "9ddec4ab8b53653d4941e6b3fd4ff602ce91d81b" # v1.97.0
+rev = "6f560103cc6ea082ef4b80a9098e3f3111afb8bc" # v1.101.0
 hooks = [
   { id = "kingfisher", args = [
     "scan",
@@ -69,12 +69,12 @@ name = "ansible-lint"
 entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint"
 language = "python"
 files = "^ansible/"
-additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.20.5"]
+additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.21.0"]
 
 # Python - ruff for linting and formatting
 [[repos]]
 repo = "https://github.com/astral-sh/ruff-pre-commit"
-rev = "6fec9b7edb08fd9989088709d864a7826dc74e80"                    # v0.15.12
+rev = "0c7b6c989466a93942def1f84baf36ddfcd60c83"                    # v0.15.14
 hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }]
 
 # Python - ty type checker