diff --git a/.forgejo/workflows/branch-cleanup.yaml b/.forgejo/workflows/branch-cleanup.yaml index 61307ea..29ed67c 100644 --- a/.forgejo/workflows/branch-cleanup.yaml +++ b/.forgejo/workflows/branch-cleanup.yaml @@ -26,7 +26,7 @@ jobs: runs-on: k8s steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run branch cleanup env: diff --git a/.forgejo/workflows/build-blumeops.yaml b/.forgejo/workflows/build-blumeops.yaml index e6fe92d..383542f 100644 --- a/.forgejo/workflows/build-blumeops.yaml +++ b/.forgejo/workflows/build-blumeops.yaml @@ -104,7 +104,7 @@ jobs: echo "Building BlumeOps release: $VERSION" - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.forgejo/workflows/build-container.yaml b/.forgejo/workflows/build-container.yaml index 36134b8..6bd08e0 100644 --- a/.forgejo/workflows/build-container.yaml +++ b/.forgejo/workflows/build-container.yaml @@ -28,7 +28,7 @@ jobs: nix: ${{ steps.classify.outputs.nix }} steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 @@ -77,7 +77,7 @@ jobs: container: ${{ fromJson(needs.detect.outputs.dockerfile) }} steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.ref || github.sha }} @@ -129,7 +129,7 @@ jobs: container: ${{ fromJson(needs.detect.outputs.nix) }} steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.ref || github.sha }} diff --git a/.forgejo/workflows/cv-deploy.yaml b/.forgejo/workflows/cv-deploy.yaml index b03b925..f99352d 100644 --- a/.forgejo/workflows/cv-deploy.yaml +++ b/.forgejo/workflows/cv-deploy.yaml @@ -58,7 +58,7 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Update CV deployment run: | diff --git a/.forgejo/workflows/deploy-fly.yaml b/.forgejo/workflows/deploy-fly.yaml index 0a63345..a2b389b 100644 --- a/.forgejo/workflows/deploy-fly.yaml +++ b/.forgejo/workflows/deploy-fly.yaml @@ -12,7 +12,7 @@ jobs: runs-on: k8s steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install flyctl run: | diff --git a/docs/changelog.d/update-tooling-deps-2026-03.infra.md b/docs/changelog.d/update-tooling-deps-2026-03.infra.md new file mode 100644 index 0000000..b0f162f --- /dev/null +++ b/docs/changelog.d/update-tooling-deps-2026-03.infra.md @@ -0,0 +1 @@ +Monthly tooling dependency update: bump prek hooks (trufflehog 3.94.0, ruff 0.15.7, shfmt 3.13.0), Fly.io images (nginx 1.29.6, Alloy 1.14.1), actions/checkout v4.3.1→v6.0.2, tighten mise task Python lower bounds (rich 14, typer 0.24, httpx 0.28.1, pyyaml 6.0.2), and bump ansible-lint/ansible-core floors. diff --git a/fly/Dockerfile b/fly/Dockerfile index 65135c1..3f866fa 100644 --- a/fly/Dockerfile +++ b/fly/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.28.2-alpine +FROM nginx:1.29.6-alpine # Copy tailscale binaries from official image COPY --from=docker.io/tailscale/tailscale:stable \ @@ -13,7 +13,7 @@ RUN mkdir -p /var/run/tailscale /var/lib/tailscale \ && rm -f /etc/fail2ban/jail.d/alpine-ssh.conf # Copy Alloy binary from official image (Ubuntu-based, needs libc6-compat) -COPY --from=docker.io/grafana/alloy:v1.13.1 \ +COPY --from=docker.io/grafana/alloy:v1.14.1 \ /bin/alloy /usr/local/bin/alloy RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data diff --git a/mise-tasks/blumeops-tasks b/mise-tasks/blumeops-tasks index f64c284..94daa51 100755 --- a/mise-tasks/blumeops-tasks +++ b/mise-tasks/blumeops-tasks @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.0", "rich>=13.0.0"] +# dependencies = ["httpx>=0.28.1", "rich>=14.0.0"] # /// #MISE description="List Blumeops tasks from Todoist sorted by priority" """Fetch and display Blumeops tasks from Todoist, sorted by priority. diff --git a/mise-tasks/branch-cleanup b/mise-tasks/branch-cleanup index 88e9152..0b5a301 100755 --- a/mise-tasks/branch-cleanup +++ b/mise-tasks/branch-cleanup @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Delete branches that have been merged into main (local and remote)" #MISE alias="bc" diff --git a/mise-tasks/container-build-and-release b/mise-tasks/container-build-and-release index dd78923..ce57c2e 100755 --- a/mise-tasks/container-build-and-release +++ b/mise-tasks/container-build-and-release @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["typer>=0.15.0", "httpx>=0.28.0"] +# dependencies = ["typer>=0.24.0", "httpx>=0.28.1"] # /// #MISE description="Trigger container build workflows via Forgejo API" #USAGE arg "" help="Container name (directory under containers/)" diff --git a/mise-tasks/container-list b/mise-tasks/container-list index 91db763..5c554b6 100755 --- a/mise-tasks/container-list +++ b/mise-tasks/container-list @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="List available containers and their recent tags" #USAGE arg "[name]" help="Optional container name to filter output" diff --git a/mise-tasks/container-version-check b/mise-tasks/container-version-check index 87eed64..1df062f 100755 --- a/mise-tasks/container-version-check +++ b/mise-tasks/container-version-check @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Validate container version consistency across Dockerfiles, nix derivations, and service-versions.yaml" #USAGE flag "--all-files" help="Check all containers, not just changed ones" diff --git a/mise-tasks/docs-check-frontmatter b/mise-tasks/docs-check-frontmatter index 3571801..11d1a49 100755 --- a/mise-tasks/docs-check-frontmatter +++ b/mise-tasks/docs-check-frontmatter @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=13.0.0"] +# dependencies = ["rich>=14.0.0"] # /// #MISE description="Check that all docs have required frontmatter fields" """Validate that all documentation files have required YAML frontmatter. diff --git a/mise-tasks/docs-check-links b/mise-tasks/docs-check-links index 20d48fb..78e871a 100755 --- a/mise-tasks/docs-check-links +++ b/mise-tasks/docs-check-links @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=13.0.0"] +# dependencies = ["rich>=14.0.0"] # /// #MISE description="Validate all wiki-links point to existing doc files" """Validate that all wiki-links in documentation point to existing files. diff --git a/mise-tasks/docs-mikado b/mise-tasks/docs-mikado index 17a363d..0b37f51 100755 --- a/mise-tasks/docs-mikado +++ b/mise-tasks/docs-mikado @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.0", "pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["httpx>=0.28.1", "pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="View active Mikado dependency chains for C2 changes" #USAGE arg "[card]" help="Card stem to show chain for" diff --git a/mise-tasks/docs-preview b/mise-tasks/docs-preview index d9b90ab..f63b1d1 100755 --- a/mise-tasks/docs-preview +++ b/mise-tasks/docs-preview @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Build docs with Dagger and serve locally, opening to a specific card" #USAGE arg "" help="Card path relative to docs/, e.g. how-to/knowledgebase/review-documentation" diff --git a/mise-tasks/docs-review b/mise-tasks/docs-review index e353b30..49cf4d0 100755 --- a/mise-tasks/docs-review +++ b/mise-tasks/docs-review @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Review the most stale documentation card by last-reviewed date" #USAGE flag "--limit " default="15" help="Number of docs to show in the table" diff --git a/mise-tasks/docs-review-stale b/mise-tasks/docs-review-stale index 25ec743..facbf6b 100755 --- a/mise-tasks/docs-review-stale +++ b/mise-tasks/docs-review-stale @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Report docs by git-last-modified date, highlighting stale ones" #USAGE flag "--threshold " default="180" help="Days before a doc is considered stale" diff --git a/mise-tasks/docs-review-tags b/mise-tasks/docs-review-tags index a4712e4..0e7f1d4 100755 --- a/mise-tasks/docs-review-tags +++ b/mise-tasks/docs-review-tags @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0", "rich>=13.0.0"] +# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0"] # /// #MISE description="Print frontmatter tag inventory across all docs" """Print every frontmatter tag with usage count and file list. diff --git a/mise-tasks/mikado-branch-invariant-check b/mise-tasks/mikado-branch-invariant-check index 9060fc8..8760a39 100755 --- a/mise-tasks/mikado-branch-invariant-check +++ b/mise-tasks/mikado-branch-invariant-check @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Validate Mikado Branch Invariant on mikado/* branches" #USAGE arg "[commit_msg_file]" help="Commit message file (passed by commit-msg hook)" diff --git a/mise-tasks/op-backup b/mise-tasks/op-backup index 202cb3e..6ffef14 100755 --- a/mise-tasks/op-backup +++ b/mise-tasks/op-backup @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Encrypt a 1Password .1pux export and send to indri for borgmatic" #USAGE arg "[export_path]" help="Path to .1pux export file (prompted if omitted)" diff --git a/mise-tasks/pr-comments b/mise-tasks/pr-comments index 1ec60ef..a44a430 100755 --- a/mise-tasks/pr-comments +++ b/mise-tasks/pr-comments @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="List unresolved comments on a PR" #USAGE arg "" help="Pull request number" diff --git a/mise-tasks/runner-logs b/mise-tasks/runner-logs index 22e4640..ec51608 100755 --- a/mise-tasks/runner-logs +++ b/mise-tasks/runner-logs @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["httpx>=0.28.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["httpx>=0.28.1", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Get logs for a Forgejo Actions workflow run (indri or ringtail runner)" #USAGE arg "" help="Runner filter: indri, ringtail, or all" diff --git a/mise-tasks/service-review b/mise-tasks/service-review index 1581781..1bc2ae4 100755 --- a/mise-tasks/service-review +++ b/mise-tasks/service-review @@ -1,7 +1,7 @@ #!/usr/bin/env -S uv run --script # /// script # requires-python = ">=3.12" -# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"] +# dependencies = ["pyyaml>=6.0.2", "rich>=14.0.0", "typer>=0.24.0"] # /// #MISE description="Review the most stale service for version freshness" #USAGE flag "--limit " default="15" help="Number of services to show in the table" diff --git a/prek.toml b/prek.toml index b780d94..b679a6f 100644 --- a/prek.toml +++ b/prek.toml @@ -28,7 +28,7 @@ hooks = [{ id = "check-yaml", args = ["--unsafe"] }] # Secret detection [[repos]] repo = "https://github.com/trufflesecurity/trufflehog" -rev = "v3.93.4" +rev = "v3.94.0" hooks = [ { id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [ "pre-commit", @@ -52,12 +52,12 @@ name = "ansible-lint" entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint" language = "python" files = "^ansible/" -additional_dependencies = ["ansible-lint>=26.1.1", "ansible-core>=2.15"] +additional_dependencies = ["ansible-lint>=26.3.0", "ansible-core>=2.18"] # Python - ruff for linting and formatting [[repos]] repo = "https://github.com/astral-sh/ruff-pre-commit" -rev = "v0.15.2" +rev = "v0.15.7" hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }] # Shell scripts - shellcheck and shfmt @@ -68,7 +68,7 @@ hooks = [{ id = "shellcheck", args = ["--severity=warning"] }] [[repos]] repo = "https://github.com/scop/pre-commit-shfmt" -rev = "v3.12.0-2" +rev = "v3.13.0-1" hooks = [{ id = "shfmt", args = ["-i", "2", "-ci", "-bn"] }] # TOML - taplo