Deploy Fly.io Proxy / deploy (push) Successful in 1m30s

Details

Update tooling dependencies (Feb 2026 cycle) (#254 )

## Summary

Monthly tooling dependency update cycle:

- **Pre-commit hooks**: trufflehog v3.92.5→v3.93.4, ruff v0.14.13→v0.15.2, shellcheck v0.10.0.1→v0.11.0.1, prettier v3.8.0→v3.8.1, actionlint v1.7.10→v1.7.11
- **Fly.io Dockerfile**: pin nginx to 1.28.2-alpine (was unpinned), bump alloy v1.5.1→v1.13.1
- **Mise tasks**: normalize httpx lower bound to >=0.28.0 and typer to >=0.15.0 across all scripts
- **Forgejo workflows**: actions/checkout@v4 is current, no changes needed
- **New how-to doc**: [[update-tooling-dependencies]] documenting this monthly cycle

## No changes needed

- pre-commit-hooks v6.0.0, yamllint v1.38.0, shfmt v3.12.0-2, taplo v0.9.3, ansible-lint 26.1.1 — all already at latest

## Test plan

- [x] `uvx pre-commit run --all-files` — all 24 hooks pass
- [ ] Fly.io deploy (triggered automatically on merge to main via deploy-fly workflow)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/254

2026-02-23 13:08:41 -08:00

2.9 KiB

Raw Blame History

title

modified

last-reviewed

Update Tooling Dependencies

Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from review-services, which tracks deployed service versions.

Scope

Category	Location	What to check
Pre-commit hooks	`.pre-commit-config.yaml`	`rev:` tags for all remote repos
Fly.io proxy	`fly/Dockerfile`	Pinned image tags (nginx, alloy)
Mise task scripts	`mise-tasks/*`	Python `# dependencies` lower bounds
Forgejo workflows	`.forgejo/workflows/*.yaml`	`uses:` action versions

Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by review-services and manage-lockfile.

Procedure

1. Check pre-commit hook versions

For each repo in .pre-commit-config.yaml with a rev: tag, check the upstream GitHub releases page for a newer tag. Update each rev: to the latest release tag. Also check additional_dependencies entries for PyPI version bumps.

Verify after updating:

uvx pre-commit run --all-files

2. Check Fly.io Dockerfile pins

Review fly/Dockerfile for pinned image tags:

nginx — check Docker Hub for latest stable alpine tag
grafana/alloy — check GitHub releases
tailscale/tailscale — uses stable rolling tag, no action needed

After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with fly status -a blumeops-proxy after deploy.

3. Normalize mise task dependency bounds

Mise tasks use uv run --script with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts:

grep -r 'dependencies' mise-tasks/ | grep '# dependencies'

Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.

4. Check Forgejo workflow action versions

Review .forgejo/workflows/*.yaml for uses: directives. Currently all workflows use actions/checkout@v4 which tracks the latest v4.x.

5. Commit and create PR

Create a single PR with all dependency bumps. The changelog fragment type is infra.

Notes

Alloy version gaps: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the changelog for breaking changes in the Alloy River config syntax.
Ruff minor bumps: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run uvx pre-commit run ruff --all-files to check before committing.
shellcheck bumps: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.

2.9 KiB Raw Blame History