Fix detect job checkout for workflow_dispatch builds

The detect job was checking out main instead of the dispatched ref,
so it couldn't find build files that only exist on feature branches.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.forgejo/workflows/build-container.yaml

@@ -30,6 +30,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          ref: ${{ inputs.ref || github.sha }}
           fetch-depth: 2
 
       - name: Detect and classify changed containers

argocd/manifests/authentik/kustomization.yaml

@@ -15,4 +15,5 @@ images:
   - name: registry.ops.eblu.me/blumeops/authentik
     newTag: v2026.2.0-2d4098e-nix
   - name: docker.io/library/redis
+    newName: registry.ops.eblu.me/blumeops/authentik-redis
     newTag: 7-alpine

containers/alloy/default.nix

@@ -116,8 +116,6 @@ in
 
 pkgs.dockerTools.buildLayeredImage {
   name = "blumeops/alloy";
-  tag = "latest";
-
   contents = [
     alloy
     pkgs.cacert

containers/authentik-redis/default.nix

@@ -0,0 +1,29 @@
+# Nix-built Redis for Authentik
+# Attached service: cache/broker (sessions, Celery task queue, caching)
+# Uses Redis from nixpkgs, packaged with dockerTools.buildLayeredImage
+#
+# The version assertion ensures nix-build fails if a flake.lock update
+# changes the Redis version — forcing an explicit version acknowledgment
+# here and in service-versions.yaml (enforced by container-version-check).
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "8.2.3";
+in
+
+assert pkgs.redis.version == version;
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/authentik-redis";
+  contents = [
+    pkgs.redis
+  ];
+
+  config = {
+    Entrypoint = [ "${pkgs.redis}/bin/redis-server" ];
+    Cmd = [ "--protected-mode" "no" ];
+    ExposedPorts = {
+      "6379/tcp" = { };
+    };
+  };
+}

containers/authentik/default.nix

@@ -41,8 +41,6 @@ in
 
 pkgs.dockerTools.buildLayeredImage {
   name = "blumeops/authentik";
-  tag = "latest";
-
   contents = [
     ak
     authentik-django

containers/ntfy/default.nix

@@ -67,8 +67,6 @@ in
 
 pkgs.dockerTools.buildLayeredImage {
   name = "blumeops/ntfy";
-  tag = "latest";
-
   contents = [
     ntfy
     pkgs.cacert

docs/changelog.d/localize-redis.infra.md

@@ -0,0 +1 @@
+Localize authentik-redis container: replace upstream `redis:7-alpine` with nix-built image from nixpkgs (Redis 8.2.3). Introduces attached service pattern with `parent` field in service-versions.yaml and version assertion in default.nix to prevent silent version drift.

docs/how-to/knowledgebase/review-services.md

@@ -1,6 +1,6 @@
 ---
 title: Review Services
-modified: 2026-02-19
+modified: 2026-03-24
 last-reviewed: 2026-03-07
 tags:
   - how-to
@@ -59,6 +59,29 @@ mise run service-review --type hybrid
 2. Review the Nix derivation or flake input for version pins
 3. If upgrading, update and deploy via `mise run provision-ringtail`
 
+## Attached Services
+
+Some services have auxiliary dependencies that run as separate containers — caches, sidecars, init helpers. These are tracked as **attached services** with a naming convention and an optional `parent` field:
+
+```yaml
+- name: authentik-redis
+  type: argocd
+  parent: authentik
+  current-version: "8.2.3"
+  upstream-source: https://github.com/redis/redis/releases
+  notes: >-
+    Attached service: Redis cache/broker for Authentik.
+```
+
+**Conventions:**
+
+- **Naming:** `<parent>-<component>` (e.g., `authentik-redis`, `grafana-sidecar`)
+- **`parent` field:** points to the parent service entry. Currently informational — the review task doesn't use it yet, but it enables future grouping/dependency-aware reviews.
+- **`notes` field:** always starts with "Attached service:" to make the relationship clear at a glance.
+- **Version tracking:** attached services that use nixpkgs packages should include a version assertion in `default.nix` (`assert pkgs.<pkg>.version == version;`) so that `flake.lock` updates that change the package version break the build and force explicit acknowledgment.
+
+Existing attached services: `grafana-sidecar`, `authentik-redis`.
+
 ## Version Tracking Convention
 
 The `current-version` field in `service-versions.yaml` tracks the **upstream application version**, not the container image tag. For services with custom-built containers, the container image tag (e.g., `v1.0.0`) is decoupled from the contained app version (e.g., `v1.10.1`). This allows container rebuilds (base image updates, build fixes) without implying an upstream version change.

service-versions.yaml

@@ -104,6 +104,7 @@ services:
 
   - name: grafana-sidecar
     type: argocd
+    parent: grafana
     last-reviewed: "2026-03-03"
     current-version: "1.28.0"
     upstream-source: https://github.com/kiwigrid/k8s-sidecar/releases
@@ -157,6 +158,16 @@ services:
     current-version: "2026.2.0"
     upstream-source: https://github.com/goauthentik/authentik/releases
 
+  - name: authentik-redis
+    type: argocd
+    parent: authentik
+    last-reviewed: "2026-03-24"
+    current-version: "8.2.3"
+    upstream-source: https://github.com/redis/redis/releases
+    notes: >-
+      Attached service: Redis cache/broker for Authentik (sessions, Celery task
+      queue, caching). Nix-built container from nixpkgs with version assertion.
+
   - name: ollama
     type: argocd
     last-reviewed: "2026-03-02"