eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/configuration/update-tooling-dependencies.md
Erich Blume 63263abb97 Switch git hooks from pre-commit to prek 
prek is a faster, Rust-native drop-in replacement for pre-commit.
Migrates config from .pre-commit-config.yaml to prek.toml, adds
built-in checks for case conflicts, private key detection, and
executable shebangs. Updates all doc references.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 18:14:03 -08:00

81 lines
3.3 KiB
Markdown
Raw Blame History

---
title: Update Tooling Dependencies
modified: 2026-02-23
last-reviewed: 2026-02-23
tags:
- how-to
- configuration
aliases: []
id: update-tooling-dependencies
---
# Update Tooling Dependencies
Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from [[review-services]], which tracks deployed service versions.
## Scope
| Category | Location | What to check |
|----------|----------|---------------|
| Prek hooks | `prek.toml` | `rev:` tags for all remote repos |
| Fly.io proxy | `fly/Dockerfile` | Pinned image tags (nginx, alloy) |
| Mise task scripts | `mise-tasks/*` | Python `# dependencies` lower bounds |
| Forgejo workflows | `.forgejo/workflows/*.yaml` | `uses:` action versions |
Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by [[review-services]] and [[manage-lockfile]].
## Procedure
### 1. Check prek hook versions
For each repo in `prek.toml` with a `rev =` value, check the upstream GitHub releases page for a newer tag. Update each `rev` to the latest release tag. Also check `additional_dependencies` entries for PyPI version bumps.
Verify after updating:
```fish
prek run --all-files
```
### 2. Check Fly.io Dockerfile pins
Review `fly/Dockerfile` for pinned image tags:
- **nginx** — check [Docker Hub](https://hub.docker.com/_/nginx) for latest stable alpine tag
- **grafana/alloy** — check [GitHub releases](https://github.com/grafana/alloy/releases)
- **tailscale/tailscale** — uses `stable` rolling tag, no action needed
After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with `fly status -a blumeops-proxy` after deploy.
### 3. Normalize mise task dependency bounds
Mise tasks use `uv run --script` with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts:
```fish
grep -r 'dependencies' mise-tasks/ | grep '# dependencies'
```
Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.
### 4. Pin Forgejo workflow action versions
All `uses:` directives in `.forgejo/workflows/*.yaml` must reference upstream actions by **commit SHA**, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code.
Format: `uses: actions/checkout@<full-sha> # v4.3.1`
The trailing comment documents the human-readable version. To update:
```fish
git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5
```
Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files.
### 5. Commit and create PR
Create a single PR with all dependency bumps. The changelog fragment type is `infra`.
## Notes
- **Alloy version gaps**: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the [changelog](https://github.com/grafana/alloy/releases) for breaking changes in the Alloy River config syntax.
- **Ruff minor bumps**: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run `prek run ruff --all-files` to check before committing.
- **shellcheck bumps**: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.
Reference in a new issue View git blame Copy permalink