C1: SHA-pin tooling dependencies (2026-04 cycle) (#344)
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m45s
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m45s
## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: #344
This commit is contained in:
parent
5096223b48
commit
f6e392b80c
29 changed files with 174 additions and 47 deletions
24
prek.toml
24
prek.toml
|
|
@ -22,13 +22,13 @@ hooks = [
|
|||
# check-yaml with --unsafe (builtin fast path doesn't support --unsafe yet)
|
||||
[[repos]]
|
||||
repo = "https://github.com/pre-commit/pre-commit-hooks"
|
||||
rev = "v6.0.0"
|
||||
rev = "3e8a8703264a2f4a69428a0aa4dcb512790b2c8c" # v6.0.0
|
||||
hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
|
||||
|
||||
# Secret detection (running both tools in parallel to compare coverage)
|
||||
[[repos]]
|
||||
repo = "https://github.com/trufflesecurity/trufflehog"
|
||||
rev = "v3.94.0"
|
||||
rev = "17456f8c7d042d8c82c9a8ca9e937231f9f42e26" # v3.95.2
|
||||
hooks = [
|
||||
{ id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [
|
||||
"pre-commit",
|
||||
|
|
@ -38,7 +38,7 @@ hooks = [
|
|||
|
||||
[[repos]]
|
||||
repo = "https://github.com/mongodb/kingfisher"
|
||||
rev = "v1.91.0"
|
||||
rev = "9ddec4ab8b53653d4941e6b3fd4ff602ce91d81b" # v1.97.0
|
||||
hooks = [
|
||||
{ id = "kingfisher", args = [
|
||||
"scan",
|
||||
|
|
@ -56,7 +56,7 @@ hooks = [
|
|||
# YAML linting
|
||||
[[repos]]
|
||||
repo = "https://github.com/adrienverge/yamllint"
|
||||
rev = "v1.38.0"
|
||||
rev = "cba56bcde1fdd01c1deb3f945e69764c291a6530" # v1.38.0
|
||||
hooks = [{ id = "yamllint", args = ["-c", ".yamllint.yaml"] }]
|
||||
|
||||
# Ansible linting
|
||||
|
|
@ -69,12 +69,12 @@ name = "ansible-lint"
|
|||
entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint"
|
||||
language = "python"
|
||||
files = "^ansible/"
|
||||
additional_dependencies = ["ansible-lint>=26.3.0", "ansible-core>=2.18"]
|
||||
additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.20.5"]
|
||||
|
||||
# Python - ruff for linting and formatting
|
||||
[[repos]]
|
||||
repo = "https://github.com/astral-sh/ruff-pre-commit"
|
||||
rev = "v0.15.7"
|
||||
rev = "6fec9b7edb08fd9989088709d864a7826dc74e80" # v0.15.12
|
||||
hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }]
|
||||
|
||||
# Python - ty type checker
|
||||
|
|
@ -92,30 +92,30 @@ pass_filenames = false
|
|||
# Shell scripts - shellcheck and shfmt
|
||||
[[repos]]
|
||||
repo = "https://github.com/shellcheck-py/shellcheck-py"
|
||||
rev = "v0.11.0.1"
|
||||
rev = "745eface02aef23e168a8afb6b5737818efbea95" # v0.11.0.1
|
||||
hooks = [{ id = "shellcheck", args = ["--severity=warning"] }]
|
||||
|
||||
[[repos]]
|
||||
repo = "https://github.com/scop/pre-commit-shfmt"
|
||||
rev = "v3.13.0-1"
|
||||
rev = "05c1426671b9237fb5e1444dd63aa5731bec0dfb" # v3.13.1-1
|
||||
hooks = [{ id = "shfmt", args = ["-i", "2", "-ci", "-bn"] }]
|
||||
|
||||
# TOML - taplo
|
||||
[[repos]]
|
||||
repo = "https://github.com/ComPWA/taplo-pre-commit"
|
||||
rev = "v0.9.3"
|
||||
hooks = [{ id = "taplo-format" }, { id = "taplo-lint" }]
|
||||
rev = "23eab0f0eedcbedebff420f5fdfb284744adc7b3" # v0.9.3
|
||||
hooks = [{ id = "taplo-format" }, { id = "taplo-lint", args = ["--no-schema"] }]
|
||||
|
||||
# JSON formatting (prettier for consistent style)
|
||||
[[repos]]
|
||||
repo = "https://github.com/rbubley/mirrors-prettier"
|
||||
rev = "v3.8.1"
|
||||
rev = "515f543f5718ebfd6ce22e16708bb32c68ff96e1" # v3.8.3
|
||||
hooks = [{ id = "prettier", types_or = ["json"], args = ["--tab-width", "2"] }]
|
||||
|
||||
# GitHub/Forgejo Actions workflow linting
|
||||
[[repos]]
|
||||
repo = "https://github.com/rhysd/actionlint"
|
||||
rev = "v1.7.11"
|
||||
rev = "914e7df21a07ef503a81201c76d2b11c789d3fca" # v1.7.12
|
||||
hooks = [
|
||||
{ id = "actionlint-system", args = [
|
||||
"-config-file",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue