eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to
History
Erich Blume f6e392b80c
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m45s
Details
C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) 
## Summary

Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere.

## Changes

- **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12).
- **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0).
- **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1.
- **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5.
- **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch.
- **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB).

Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change.

## Test plan

- [x] `prek run --all-files` passes after `prek clean`
- [x] `deploy-fly` workflow builds and deploys the new fly image on merge
- [x] `fly status -a blumeops-proxy` healthy after deploy
- [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly

Reviewed-on: #344
2026-04-30 16:51:43 -07:00
..
authentik Restructure docs: consolidate, recategorize, and extract 2026-03-15 19:55:59 -07:00
configuration C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) 2026-04-30 16:51:43 -07:00
dagger Switch container builds to manual-only workflow dispatch 2026-04-16 14:25:14 -07:00
deployment Switch container builds to manual-only workflow dispatch 2026-04-16 14:25:14 -07:00
forgejo-runner Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338) 2026-04-20 09:03:54 -07:00
grafana Upgrade grafana-sidecar 1.28.0 → 2.6.0 + container.py port (#332) 2026-04-13 07:57:13 -07:00
knowledgebase Doc review: delete install-dagger-on-nix-runner, add service-versions ref card 2026-04-12 09:52:38 -07:00
mealie C0: docs — add mealie borg restore how-to 2026-04-24 19:04:28 -07:00
operations C1: SHA-pin tooling dependencies (2026-04 cycle) (#344) 2026-04-30 16:51:43 -07:00
ringtail Add ringtail post-deploy maintenance: kernel check, generation pruning, GC 2026-03-27 07:55:45 -07:00
runbooks C2: Deploy infrastructure alerting pipeline (#303) 2026-03-22 14:52:56 -07:00
zot docs: review zot oidc client card 2026-04-20 07:55:25 -07:00