eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/configuration/update-tooling-dependencies.md
Erich Blume f6e392b80c
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m45s
Details
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) 
## Summary

Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.

## Changes

- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).

Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.

## Test plan

- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly

Reviewed-on: #344
2026-04-30 16:51:43 -07:00

4.3 KiB
Raw Blame History

title modified last-reviewed tags aliases id
Update Tooling Dependencies 2026-02-23 2026-02-23
how-to
configuration
update-tooling-dependencies

Update Tooling Dependencies

Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from review-services, which tracks deployed service versions.

Scope

Category Location What to check
Prek hooks prek.toml rev: tags for all remote repos
Fly.io proxy fly/Dockerfile Pinned image tags (nginx, alloy)
Mise task scripts mise-tasks/* Python # dependencies lower bounds
Forgejo workflows .forgejo/workflows/*.yaml uses: action versions

Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by review-services and manage-lockfile.

Procedure

1. Check prek hook versions

For each repo in prek.toml with a rev = value, check the upstream GitHub releases page for a newer tag. Update each rev to the commit SHA of the latest release with a trailing # vX.Y.Z comment (matches the additional_dependencies and Forgejo workflow pinning style). Also check additional_dependencies entries for PyPI version bumps and pin them with ==.

git ls-remote --tags https://github.com/<owner>/<repo>.git 'refs/tags/v*' | sort -t/ -k3 -V | tail -5

Clear the prek cache before verifying — it can grow to several GiB (one venv per hook per version) and old cached environments can mask resolution failures or stale catalogs:

prek clean
prek run --all-files

2. Check Fly.io Dockerfile pins

Review fly/Dockerfile for pinned image digests. Each FROM and COPY --from= uses image@sha256:... digest pinning with a comment line above documenting the human-readable version.

  • nginx — check Docker Hub for latest stable alpine tag
  • grafana/alloy — check GitHub releases
  • tailscale/tailscale — pinned to a known-good version. Do not bump to v1.96.5 or later (MagicDNS regression breaks the proxy boot)

To resolve a tag to a digest:

docker buildx imagetools inspect docker.io/<image>:<tag>
# Use the top-level "Digest:" line (multi-arch index) — not the per-platform sub-digest

After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with fly status -a blumeops-proxy after deploy.

3. Pin mise task dependencies

Mise tasks use uv run --script with inline PEP 723 dependency metadata. All packages are pinned with == (PEP 508 doesn't support hashes inline). Check that pinned versions are consistent across all scripts:

grep -r 'dependencies' mise-tasks/ | grep '# dependencies'

For each package in use (httpx, rich, typer, pyyaml), pick the latest PyPI version and update every script in lockstep — divergence between scripts is the failure mode this catches. Bump everything together; don't leave one script behind.

4. Pin Forgejo workflow action versions

All uses: directives in .forgejo/workflows/*.yaml must reference upstream actions by commit SHA, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code.

Format: uses: actions/checkout@<full-sha> # v4.3.1

The trailing comment documents the human-readable version. To update:

git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5

Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files.

5. Commit and create PR

Create a single PR with all dependency bumps. The changelog fragment type is infra.

Notes

  • Alloy version gaps: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the changelog for breaking changes in the Alloy River config syntax.
  • Ruff minor bumps: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run prek run ruff --all-files to check before committing.
  • shellcheck bumps: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.