Update tooling dependencies (Feb 2026 cycle) (#254)

## Summary Monthly tooling dependency update cycle: - **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11 - **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1 - **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts - **Forgejo workflows**: actions/checkout@v4 is current, no changes needed - **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle ## No changes needed - pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest ## Test plan - [x] `uvx pre-commit run --all-files` — all 24 hooks pass - [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254
2026-02-23 13:08:41 -08:00 · 2026-02-23 13:08:41 -08:00 · cb9a06bb75
commit cb9a06bb75
parent 75fde54355
10 changed files with 83 additions and 12 deletions
--- a/docs/changelog.d/update-dependency-bumps-2026-02.infra.md
+++ b/docs/changelog.d/update-dependency-bumps-2026-02.infra.md
@ -0,0 +1 @@
+Update tooling dependencies: pre-commit hooks (trufflehog, ruff, shellcheck, prettier, actionlint), Fly.io Dockerfile (pin nginx 1.28.2-alpine, alloy v1.13.1), and normalize mise task Python lower bounds.
--- a/docs/how-to/configuration/update-tooling-dependencies.md
+++ b/docs/how-to/configuration/update-tooling-dependencies.md
@ -0,0 +1,69 @@
+---
+title: Update Tooling Dependencies
+modified: 2026-02-23
+last-reviewed: 2026-02-23
+tags:
+  - how-to
+  - configuration
+---
+
+# Update Tooling Dependencies
+
+Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from [[review-services]], which tracks deployed service versions.
+
+## Scope
+
+| Category | Location | What to check |
+|----------|----------|---------------|
+| Pre-commit hooks | `.pre-commit-config.yaml` | `rev:` tags for all remote repos |
+| Fly.io proxy | `fly/Dockerfile` | Pinned image tags (nginx, alloy) |
+| Mise task scripts | `mise-tasks/*` | Python `# dependencies` lower bounds |
+| Forgejo workflows | `.forgejo/workflows/*.yaml` | `uses:` action versions |
+
+Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by [[review-services]] and [[manage-lockfile]].
+
+## Procedure
+
+### 1. Check pre-commit hook versions
+
+For each repo in `.pre-commit-config.yaml` with a `rev:` tag, check the upstream GitHub releases page for a newer tag. Update each `rev:` to the latest release tag. Also check `additional_dependencies` entries for PyPI version bumps.
+
+Verify after updating:
+
+```fish
+uvx pre-commit run --all-files
+```
+
+### 2. Check Fly.io Dockerfile pins
+
+Review `fly/Dockerfile` for pinned image tags:
+
+- **nginx** — check [Docker Hub](https://hub.docker.com/_/nginx) for latest stable alpine tag
+- **grafana/alloy** — check [GitHub releases](https://github.com/grafana/alloy/releases)
+- **tailscale/tailscale** — uses `stable` rolling tag, no action needed
+
+After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with `fly status -a blumeops-proxy` after deploy.
+
+### 3. Normalize mise task dependency bounds
+
+Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts:
+
+```fish
+grep -r 'dependencies' mise-tasks/ | grep '# dependencies'
+```
+
+Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.
+
+### 4. Check Forgejo workflow action versions
+
+Review `.forgejo/workflows/*.yaml` for `uses:` directives. Currently all workflows use `actions/checkout@v4` which tracks the latest v4.x.
+
+### 5. Commit and create PR
+
+Create a single PR with all dependency bumps. The changelog fragment type is `infra`.
+
+## Notes
+
+- **Alloy version gaps**: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the [changelog](https://github.com/grafana/alloy/releases) for breaking changes in the Alloy River config syntax.
+- **Ruff minor bumps**: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run `uvx pre-commit run ruff --all-files` to check before committing.
+- **shellcheck bumps**: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.
--- a/docs/how-to/how-to.md
+++ b/docs/how-to/how-to.md
@ -27,6 +27,7 @@ Task-oriented instructions for common BlumeOps operations. These guides assume y
 | [[use-pypi-proxy]] | Configure pip and publish packages to devpi |
 | [[expose-service-publicly]] | Expose a service to the public internet via Fly.io + Tailscale |
 | [[update-documentation]] | Publish docs via build-blumeops workflow |
+| [[update-tooling-dependencies]] | Monthly update cycle for pre-commit, Fly, mise, and workflow deps |

 ## Knowledge Base
				`@ -0,0 +1 @@`
				`Update tooling dependencies: pre-commit hooks (trufflehog, ruff, shellcheck, prettier, actionlint), Fly.io Dockerfile (pin nginx 1.28.2-alpine, alloy v1.13.1), and normalize mise task Python lower bounds.`