eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

C1: SHA-pin tooling dependencies (2026-04 cycle) #344

Merged
eblume merged 2 commits from update-tooling-deps-2026-04 into main 2026-04-30 16:51:45 -07:00
Conversation 0 Commits 2 Files changed 29 +174 -47
eblume commented 2026-04-30 16:17:29 -07:00
Owner
Copy link

Summary

Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (rev = "vX.Y.Z", image:tag, >=) to SHA / digest pins everywhere.

Changes

  • prek hooks: all rev = "vX.Y.Z" → commit SHA + # vX.Y.Z comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
  • fly/Dockerfile: tag pins → image@sha256:... digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
  • mise-tasks: PEP 723 inline deps converted from >= to == (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
  • prek additional_dependencies: ansible-lint==26.4.0, ansible-core==2.20.5.
  • taplo-lint: pass --no-schema. Upstream's --default-schema-catalogs returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
  • docs/update-tooling-dependencies: documents the SHA-pin convention, docker buildx imagetools inspect for digest lookup, and prek clean before re-verifying (cache grows to several GiB).

Forgejo workflow actions/checkout@v6.0.2 was already at the latest SHA — no change.

Test plan

  • prek run --all-files passes after prek clean
  • deploy-fly workflow builds and deploys the new fly image on merge
  • fly status -a blumeops-proxy healthy after deploy
  • Spot-check a few mise tasks (mise run blumeops-tasks, mise run docs-check-links) to confirm pinned deps resolve cleanly
## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly
- prek hooks: convert all rev = "vX.Y.Z" to commit SHAs with version comments
- fly/Dockerfile: digest-pin nginx (1.30.0-alpine), tailscale (v1.94.2),
  and alloy (v1.16.0); bump from previous tag pins
- mise-tasks: pin PEP 723 deps with == (rich 15.0.0, typer 0.25.0,
  pyyaml 6.0.3, httpx 0.28.1) — PEP 508 doesn't support hashes inline
- prek additional_dependencies: pin ansible-lint==26.4.0, ansible-core==2.20.5
- taplo-lint: pass --no-schema (upstream catalog format changed and
  taplo v0.9.3 can't parse it; we don't validate against TOML schemas)
- docs/update-tooling-dependencies: document SHA-pin convention,
  digest-pin lookup via docker buildx imagetools, and prek clean before
  re-verifying (cache can grow to several GiB)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New rotation card documenting the 75-day cadence for the Fly.io API
token. Recommends `fly tokens create org` (single-org scope) over
`deploy` (single-app scope): both have effectively the same blast
radius for a single-app personal org, and `org` silences the
"Metrics token unavailable: ... context canceled" warning that
`fly status` emits when called with an app-scoped token.

Linked from manage-flyio-proxy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
eblume merged commit f6e392b80c into main 2026-04-30 16:51:45 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!344
No description provided.