eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/configuration/update-tooling-dependencies.md
Erich Blume 7a1875936c Switch git hooks from pre-commit to prek (#276) 
## Summary

- Replace pre-commit with [prek](https://github.com/j178/prek), a faster Rust-native drop-in alternative
- Migrate config from `.pre-commit-config.yaml` (YAML) to `prek.toml` (TOML)
- Add new built-in checks: case conflicts, private key detection, executable shebangs
- Install prek via mise native registry (`aqua:j178/prek`) instead of pipx
- Update all doc references across README, contributing guide, and how-to docs

## Notes

- `check-yaml` still uses the remote `pre-commit-hooks` repo because prek's builtin fast path doesn't support `--unsafe` yet (needed for Ansible custom YAML tags)
- All existing custom hooks (docs validation, container version check, mikado invariant, workflow validation) work unchanged
- Tested: all hooks pass on clean tree, deliberate doc link breakage is caught

## Test plan

- [x] `prek run --all-files` passes all checks
- [x] Broken wiki-link correctly caught by `docs-check-links`
- [x] taplo-format auto-fixes TOML formatting on commit
- [x] commit-msg hook (mikado invariant) fires correctly

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/276
2026-03-02 18:15:23 -08:00

3.3 KiB
Raw Blame History

title modified last-reviewed tags aliases id
Update Tooling Dependencies 2026-02-23 2026-02-23
how-to
configuration
update-tooling-dependencies

Update Tooling Dependencies

Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from review-services, which tracks deployed service versions.

Scope

Category Location What to check
Prek hooks prek.toml rev: tags for all remote repos
Fly.io proxy fly/Dockerfile Pinned image tags (nginx, alloy)
Mise task scripts mise-tasks/* Python # dependencies lower bounds
Forgejo workflows .forgejo/workflows/*.yaml uses: action versions

Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by review-services and manage-lockfile.

Procedure

1. Check prek hook versions

For each repo in prek.toml with a rev = value, check the upstream GitHub releases page for a newer tag. Update each rev to the latest release tag. Also check additional_dependencies entries for PyPI version bumps.

Verify after updating:

prek run --all-files

2. Check Fly.io Dockerfile pins

Review fly/Dockerfile for pinned image tags:

  • nginx — check Docker Hub for latest stable alpine tag
  • grafana/alloy — check GitHub releases
  • tailscale/tailscale — uses stable rolling tag, no action needed

After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with fly status -a blumeops-proxy after deploy.

3. Normalize mise task dependency bounds

Mise tasks use uv run --script with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts:

grep -r 'dependencies' mise-tasks/ | grep '# dependencies'

Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.

4. Pin Forgejo workflow action versions

All uses: directives in .forgejo/workflows/*.yaml must reference upstream actions by commit SHA, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code.

Format: uses: actions/checkout@<full-sha> # v4.3.1

The trailing comment documents the human-readable version. To update:

git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5

Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files.

5. Commit and create PR

Create a single PR with all dependency bumps. The changelog fragment type is infra.

Notes

  • Alloy version gaps: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the changelog for breaking changes in the Alloy River config syntax.
  • Ruff minor bumps: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run prek run ruff --all-files to check before committing.
  • shellcheck bumps: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.