.pre-commit-config.yaml

@@ -20,7 +20,7 @@ repos:
 
   # Secret detection
   - repo: https://github.com/trufflesecurity/trufflehog
-    rev: v3.92.5
+    rev: v3.93.4
     hooks:
       - id: trufflehog
         entry: trufflehog git file://. --since-commit HEAD --no-verification --fail
@@ -47,7 +47,7 @@ repos:
 
   # Python - ruff for linting and formatting
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.13
+    rev: v0.15.2
     hooks:
       - id: ruff
         args: ['--fix']
@@ -55,7 +55,7 @@ repos:
 
   # Shell scripts - shellcheck and shfmt
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
+    rev: v0.11.0.1
     hooks:
       - id: shellcheck
         args: ['--severity=warning']
@@ -75,7 +75,7 @@ repos:
 
   # JSON formatting (prettier for consistent style)
   - repo: https://github.com/rbubley/mirrors-prettier
-    rev: v3.8.0
+    rev: v3.8.1
     hooks:
       - id: prettier
         types_or: [json]
@@ -83,7 +83,7 @@ repos:
 
   # GitHub/Forgejo Actions workflow linting
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.10
+    rev: v1.7.11
     hooks:
       - id: actionlint-system
         args: ['-config-file', '.github/actionlint.yaml']

docs/changelog.d/update-dependency-bumps-2026-02.infra.md

@@ -0,0 +1 @@
+Update tooling dependencies: pre-commit hooks (trufflehog, ruff, shellcheck, prettier, actionlint), Fly.io Dockerfile (pin nginx 1.28.2-alpine, alloy v1.13.1), and normalize mise task Python lower bounds.

docs/how-to/configuration/update-tooling-dependencies.md

@@ -0,0 +1,69 @@
+---
+title: Update Tooling Dependencies
+modified: 2026-02-23
+last-reviewed: 2026-02-23
+tags:
+  - how-to
+  - configuration
+---
+
+# Update Tooling Dependencies
+
+Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from [[review-services]], which tracks deployed service versions.
+
+## Scope
+
+| Category | Location | What to check |
+|----------|----------|---------------|
+| Pre-commit hooks | `.pre-commit-config.yaml` | `rev:` tags for all remote repos |
+| Fly.io proxy | `fly/Dockerfile` | Pinned image tags (nginx, alloy) |
+| Mise task scripts | `mise-tasks/*` | Python `# dependencies` lower bounds |
+| Forgejo workflows | `.forgejo/workflows/*.yaml` | `uses:` action versions |
+
+Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by [[review-services]] and [[manage-lockfile]].
+
+## Procedure
+
+### 1. Check pre-commit hook versions
+
+For each repo in `.pre-commit-config.yaml` with a `rev:` tag, check the upstream GitHub releases page for a newer tag. Update each `rev:` to the latest release tag. Also check `additional_dependencies` entries for PyPI version bumps.
+
+Verify after updating:
+
+```fish
+uvx pre-commit run --all-files
+```
+
+### 2. Check Fly.io Dockerfile pins
+
+Review `fly/Dockerfile` for pinned image tags:
+
+- **nginx** — check [Docker Hub](https://hub.docker.com/_/nginx) for latest stable alpine tag
+- **grafana/alloy** — check [GitHub releases](https://github.com/grafana/alloy/releases)
+- **tailscale/tailscale** — uses `stable` rolling tag, no action needed
+
+After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with `fly status -a blumeops-proxy` after deploy.
+
+### 3. Normalize mise task dependency bounds
+
+Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts:
+
+```fish
+grep -r 'dependencies' mise-tasks/ | grep '# dependencies'
+```
+
+Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.
+
+### 4. Check Forgejo workflow action versions
+
+Review `.forgejo/workflows/*.yaml` for `uses:` directives. Currently all workflows use `actions/checkout@v4` which tracks the latest v4.x.
+
+### 5. Commit and create PR
+
+Create a single PR with all dependency bumps. The changelog fragment type is `infra`.
+
+## Notes
+
+- **Alloy version gaps**: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the [changelog](https://github.com/grafana/alloy/releases) for breaking changes in the Alloy River config syntax.
+- **Ruff minor bumps**: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run `uvx pre-commit run ruff --all-files` to check before committing.
+- **shellcheck bumps**: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.

docs/how-to/how-to.md

@@ -27,6 +27,7 @@ Task-oriented instructions for common BlumeOps operations. These guides assume y
 | [[use-pypi-proxy]] | Configure pip and publish packages to devpi |
 | [[expose-service-publicly]] | Expose a service to the public internet via Fly.io + Tailscale |
 | [[update-documentation]] | Publish docs via build-blumeops workflow |
+| [[update-tooling-dependencies]] | Monthly update cycle for pre-commit, Fly, mise, and workflow deps |
 
 ## Knowledge Base
 

fly/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:alpine
+FROM nginx:1.28.2-alpine
 
 # Copy tailscale binaries from official image
 COPY --from=docker.io/tailscale/tailscale:stable \
@@ -11,7 +11,7 @@ RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
     && apk add --no-cache libc6-compat
 
 # Copy Alloy binary from official image (Ubuntu-based, needs libc6-compat)
-COPY --from=docker.io/grafana/alloy:v1.5.1 \
+COPY --from=docker.io/grafana/alloy:v1.13.1 \
     /bin/alloy /usr/local/bin/alloy
 
 RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data

mise-tasks/blumeops-tasks

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.27.0", "rich>=13.0.0"]
+# dependencies = ["httpx>=0.28.0", "rich>=13.0.0"]
 # ///
 #MISE description="List Blumeops tasks from Todoist sorted by priority"
 """Fetch and display Blumeops tasks from Todoist, sorted by priority.

mise-tasks/docs-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.9.0"]
+# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"]
 # ///
 #MISE description="Review the most stale documentation card by last-reviewed date"
 #USAGE flag "--limit <limit>" default="15" help="Number of docs to show in the table"

mise-tasks/docs-review-stale

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich>=13.0.0", "typer>=0.9.0"]
+# dependencies = ["rich>=13.0.0", "typer>=0.15.0"]
 # ///
 #MISE description="Report docs by git-last-modified date, highlighting stale ones"
 #USAGE flag "--threshold <threshold>" default="180" help="Days before a doc is considered stale"

mise-tasks/pr-comments

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx>=0.27.0", "rich>=13.0.0"]
+# dependencies = ["httpx>=0.28.0", "rich>=13.0.0"]
 # ///
 #MISE description="List unresolved comments on a PR"
 #USAGE arg "<pr_number>" help="Pull request number"

mise-tasks/service-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.9.0"]
+# dependencies = ["pyyaml>=6.0", "rich>=13.0.0", "typer>=0.15.0"]
 # ///
 #MISE description="Review the most stale service for version freshness"
 #USAGE flag "--limit <limit>" default="15" help="Number of services to show in the table"