Erich Blume
f6e392b80c
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m45s
## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: #344
34 lines
1.4 KiB
Docker
34 lines
1.4 KiB
Docker
# nginx 1.30.0-alpine
|
|
FROM nginx@sha256:0272e4604ed93c1792f03695a033a6e8546840f86e0de20a884bb17d2c924883
|
|
|
|
# Copy tailscale binaries from official image (v1.94.2)
|
|
COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
|
|
/usr/local/bin/tailscaled /usr/local/bin/tailscaled
|
|
COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
|
|
/usr/local/bin/tailscale /usr/local/bin/tailscale
|
|
|
|
RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
|
|
&& apk add --no-cache iptables ip6tables \
|
|
&& apk add --no-cache libc6-compat \
|
|
&& apk add --no-cache fail2ban \
|
|
&& rm -f /etc/fail2ban/jail.d/alpine-ssh.conf
|
|
|
|
# Copy Alloy binary from official image (v1.16.0, Ubuntu-based, needs libc6-compat)
|
|
COPY --from=docker.io/grafana/alloy@sha256:6e00cf7c5a692ff5f24844529416ed017d76fce922f8199004e73d5eca46b6b8 \
|
|
/bin/alloy /usr/local/bin/alloy
|
|
|
|
RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data
|
|
|
|
COPY fail2ban/filter.d/forge-login.conf /etc/fail2ban/filter.d/forge-login.conf
|
|
COPY fail2ban/jail.d/forge.conf /etc/fail2ban/jail.d/forge.conf
|
|
COPY fail2ban/action.d/nginx-deny.conf /etc/fail2ban/action.d/nginx-deny.conf
|
|
|
|
COPY nginx.conf /etc/nginx/nginx.conf
|
|
COPY error.html /usr/share/nginx/html/error.html
|
|
COPY alloy.river /etc/alloy/config.alloy
|
|
COPY start.sh /start.sh
|
|
RUN chmod +x /start.sh
|
|
|
|
EXPOSE 8080
|
|
|
|
CMD ["/start.sh"]
|