eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Recurring maintenance batch (2026-05-27) #360

Merged
eblume merged 3 commits from recurring-maintenance-2026-05-27 into main 2026-05-28 06:01:59 -07:00
Conversation 0 Commits 3 Files changed 23 +29 -25
20 changed files with 29 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 568e355d10 - Show all commits

C1: tooling deps bump — prek hooks, fly proxy, typer

Prev Next 
Monthly tooling refresh per [[update-tooling-dependencies]]:

- prek: trufflehog v3.95.3, kingfisher v1.101.0, ruff v0.15.14, ansible-core 2.21.0
- fly proxy: nginx 1.30.1-alpine, alloy v1.16.1
- mise-tasks: typer==0.26.2 across all scripts
- tailscale held at v1.94.2 (v1.96.5+ MagicDNS regression)
Erich Blume 2026-05-27 18:40:05 -07:00
commit 568e355d10

4
docs/changelog.d/recurring-maintenance-2026-05-27.infra.md Normal file
View file

@ -0,0 +1,4 @@
Recurring maintenance batch:
- Ringtail flake inputs refreshed (`disko`, `home-manager`, `nixpkgs`).
- Tooling deps bumped: prek hooks (trufflehog v3.95.3, kingfisher v1.101.0, ruff v0.15.14, `ansible-core` 2.21.0); fly proxy base images (nginx 1.30.1-alpine, alloy v1.16.1); `typer==0.26.2` in mise tasks.

8
fly/Dockerfile
View file

@ -1,5 +1,5 @@
# nginx 1.30.0-alpine # nginx 1.30.1-alpine
FROM nginx@sha256:0272e4604ed93c1792f03695a033a6e8546840f86e0de20a884bb17d2c924883 FROM nginx@sha256:c819f83c54b0361f5557601bf5eb4943d09360e7a7fdf426afc466570f45874d
# Copy tailscale binaries from official image (v1.94.2) # Copy tailscale binaries from official image (v1.94.2)
COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \ COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
@ -13,8 +13,8 @@ RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
&& apk add --no-cache fail2ban \ && apk add --no-cache fail2ban \
&& rm -f /etc/fail2ban/jail.d/alpine-ssh.conf && rm -f /etc/fail2ban/jail.d/alpine-ssh.conf
# Copy Alloy binary from official image (v1.16.0, Ubuntu-based, needs libc6-compat) # Copy Alloy binary from official image (v1.16.1, Ubuntu-based, needs libc6-compat)
COPY --from=docker.io/grafana/alloy@sha256:6e00cf7c5a692ff5f24844529416ed017d76fce922f8199004e73d5eca46b6b8 \ COPY --from=docker.io/grafana/alloy@sha256:51aeb9d829239345070619dad3edd6873186f913c84f45b365b74574fcb38ec0 \
/bin/alloy /usr/local/bin/alloy /bin/alloy /usr/local/bin/alloy
RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data

2
mise-tasks/branch-cleanup
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Delete branches that have been merged into main (local and remote)" #MISE description="Delete branches that have been merged into main (local and remote)"
#MISE alias="bc" #MISE alias="bc"

2
mise-tasks/container-build-and-release
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["typer==0.25.0", "httpx==0.28.1"] # dependencies = ["typer==0.26.2", "httpx==0.28.1"]
# /// # ///
#MISE description="Trigger container build workflows via Forgejo API" #MISE description="Trigger container build workflows via Forgejo API"
#USAGE arg "<container>" help="Container name (directory under containers/)" #USAGE arg "<container>" help="Container name (directory under containers/)"

2
mise-tasks/container-list
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="List available containers and their recent tags" #MISE description="List available containers and their recent tags"
#USAGE arg "[name]" help="Optional container name to filter output" #USAGE arg "[name]" help="Optional container name to filter output"

2
mise-tasks/container-version-check
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Validate container version consistency across container.py, Dockerfiles, nix derivations, and service-versions.yaml" #MISE description="Validate container version consistency across container.py, Dockerfiles, nix derivations, and service-versions.yaml"
#USAGE flag "--all-files" help="Check all containers, not just changed ones" #USAGE flag "--all-files" help="Check all containers, not just changed ones"

2
mise-tasks/dns-acme-cleanup
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Delete orphaned ACME challenge TXT records in eblu.me" #MISE description="Delete orphaned ACME challenge TXT records in eblu.me"
#USAGE flag "--dry-run" help="List orphans without deleting" #USAGE flag "--dry-run" help="List orphans without deleting"

2
mise-tasks/docs-mikado
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["httpx==0.28.1", "pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["httpx==0.28.1", "pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="View active Mikado dependency chains for C2 changes" #MISE description="View active Mikado dependency chains for C2 changes"
#USAGE arg "[card]" help="Card stem to show chain for" #USAGE arg "[card]" help="Card stem to show chain for"

2
mise-tasks/docs-preview
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Build docs with Dagger and serve locally, opening to a specific card" #MISE description="Build docs with Dagger and serve locally, opening to a specific card"
#USAGE arg "<card>" help="Card path relative to docs/, e.g. how-to/knowledgebase/review-documentation" #USAGE arg "<card>" help="Card path relative to docs/, e.g. how-to/knowledgebase/review-documentation"

2
mise-tasks/docs-review
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Review the most stale documentation card by last-reviewed date" #MISE description="Review the most stale documentation card by last-reviewed date"
#USAGE flag "--limit <limit>" default="15" help="Number of docs to show in the table" #USAGE flag "--limit <limit>" default="15" help="Number of docs to show in the table"

2
mise-tasks/docs-review-stale
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["rich==15.0.0", "typer==0.25.0"] # dependencies = ["rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Report docs by git-last-modified date, highlighting stale ones" #MISE description="Report docs by git-last-modified date, highlighting stale ones"
#USAGE flag "--threshold <threshold>" default="180" help="Days before a doc is considered stale" #USAGE flag "--threshold <threshold>" default="180" help="Days before a doc is considered stale"

2
mise-tasks/mikado-branch-invariant-check
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["rich==15.0.0", "typer==0.25.0"] # dependencies = ["rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Validate Mikado Branch Invariant on mikado/* branches" #MISE description="Validate Mikado Branch Invariant on mikado/* branches"
#USAGE arg "[commit_msg_file]" help="Commit message file (passed by commit-msg hook)" #USAGE arg "[commit_msg_file]" help="Commit message file (passed by commit-msg hook)"

2
mise-tasks/op-backup
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["rich==15.0.0", "typer==0.25.0"] # dependencies = ["rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Encrypt a 1Password .1pux export and send to indri for borgmatic" #MISE description="Encrypt a 1Password .1pux export and send to indri for borgmatic"
#USAGE arg "[export_path]" help="Path to .1pux export file (prompted if omitted)" #USAGE arg "[export_path]" help="Path to .1pux export file (prompted if omitted)"

2
mise-tasks/pr-comments
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="List unresolved comments on a PR" #MISE description="List unresolved comments on a PR"
#USAGE arg "<pr_number>" help="Pull request number" #USAGE arg "<pr_number>" help="Pull request number"

2
mise-tasks/prune-ringtail-generations
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["rich==15.0.0", "typer==0.25.0"] # dependencies = ["rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Prune old NixOS generations on ringtail, preserving rollback safety" #MISE description="Prune old NixOS generations on ringtail, preserving rollback safety"
#MISE alias="prg" #MISE alias="prg"

2
mise-tasks/review-compliance-reports
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["rich==15.0.0", "typer==0.25.0", "pyyaml==6.0.3"] # dependencies = ["rich==15.0.0", "typer==0.26.2", "pyyaml==6.0.3"]
# /// # ///
#MISE description="Summarize the latest Prowler and Kingfisher compliance reports from sifaka" #MISE description="Summarize the latest Prowler and Kingfisher compliance reports from sifaka"
#USAGE flag "--full" help="Show all unmuted failures, not just new ones" #USAGE flag "--full" help="Show all unmuted failures, not just new ones"

2
mise-tasks/runner-logs
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="List recent Forgejo Actions runs or fetch logs for a specific job" #MISE description="List recent Forgejo Actions runs or fetch logs for a specific job"
#USAGE arg "[run_number]" help="Run number to show jobs for (omit to list recent runs)" #USAGE arg "[run_number]" help="Run number to show jobs for (omit to list recent runs)"

2
mise-tasks/service-review
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Review the most stale service for version freshness" #MISE description="Review the most stale service for version freshness"
#USAGE flag "--limit <limit>" default="15" help="Number of services to show in the table" #USAGE flag "--limit <limit>" default="15" help="Number of services to show in the table"

2
mise-tasks/spork-create
View file

@ -1,7 +1,7 @@
#!/usr/bin/env -S uv run --script #!/usr/bin/env -S uv run --script
# /// script # /// script
# requires-python = ">=3.12" # requires-python = ">=3.12"
# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"] # dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
# /// # ///
#MISE description="Create a spork (floating-branch soft-fork) of a mirrored upstream project" #MISE description="Create a spork (floating-branch soft-fork) of a mirrored upstream project"
#USAGE arg "<repo_name>" help="Repository name in the mirrors/ org on forge (e.g. kingfisher)" #USAGE arg "<repo_name>" help="Repository name in the mirrors/ org on forge (e.g. kingfisher)"

8
prek.toml
View file

@ -28,7 +28,7 @@ hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
# Secret detection (running both tools in parallel to compare coverage) # Secret detection (running both tools in parallel to compare coverage)
[[repos]] [[repos]]
repo = "https://github.com/trufflesecurity/trufflehog" repo = "https://github.com/trufflesecurity/trufflehog"
rev = "17456f8c7d042d8c82c9a8ca9e937231f9f42e26" # v3.95.2 rev = "37b77001d0174ebec2fcca2bd83ff83a6d45a3ab" # v3.95.3
hooks = [ hooks = [
{ id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [ { id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [
"pre-commit", "pre-commit",
@ -38,7 +38,7 @@ hooks = [
[[repos]] [[repos]]
repo = "https://github.com/mongodb/kingfisher" repo = "https://github.com/mongodb/kingfisher"
rev = "9ddec4ab8b53653d4941e6b3fd4ff602ce91d81b" # v1.97.0 rev = "6f560103cc6ea082ef4b80a9098e3f3111afb8bc" # v1.101.0
hooks = [ hooks = [
{ id = "kingfisher", args = [ { id = "kingfisher", args = [
"scan", "scan",
@ -69,12 +69,12 @@ name = "ansible-lint"
entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint" entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint"
language = "python" language = "python"
files = "^ansible/" files = "^ansible/"
additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.20.5"] additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.21.0"]
# Python - ruff for linting and formatting # Python - ruff for linting and formatting
[[repos]] [[repos]]
repo = "https://github.com/astral-sh/ruff-pre-commit" repo = "https://github.com/astral-sh/ruff-pre-commit"
rev = "6fec9b7edb08fd9989088709d864a7826dc74e80" # v0.15.12 rev = "0c7b6c989466a93942def1f84baf36ddfcd60c83" # v0.15.14
hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }] hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }]
# Python - ty type checker # Python - ty type checker