Erich Blume
f6e392b80c
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m45s
## Summary Monthly tooling dependency refresh, with a one-time conversion from version-tag pins (`rev = "vX.Y.Z"`, `image:tag`, `>=`) to SHA / digest pins everywhere. ## Changes - **prek hooks**: all `rev = "vX.Y.Z"` → commit SHA + `# vX.Y.Z` comment. Bumped trufflehog (3.94.0→3.95.2), kingfisher (1.91.0→1.97.0), ruff (0.15.7→0.15.12), shfmt (3.13.0→3.13.1), prettier (3.8.1→3.8.3), actionlint (1.7.11→1.7.12). - **fly/Dockerfile**: tag pins → `image@sha256:...` digest pins. Bumped nginx (1.29.6→1.30.0-alpine), tailscale (v1.94.1→v1.94.2 — still inside the safe pre-1.96.5 range), alloy (v1.14.1→v1.16.0). - **mise-tasks**: PEP 723 inline deps converted from `>=` to `==` (PEP 508 doesn't support hashes inline). All scripts pinned to current latest: rich 15.0.0, typer 0.25.0, pyyaml 6.0.3, httpx 0.28.1. - **prek `additional_dependencies`**: ansible-lint==26.4.0, ansible-core==2.20.5. - **taplo-lint**: pass `--no-schema`. Upstream's `--default-schema-catalogs` returns a format taplo v0.9.3 can't parse — we don't validate against TOML schemas anyway, so this turns off the broken catalog fetch. - **docs/update-tooling-dependencies**: documents the SHA-pin convention, `docker buildx imagetools inspect` for digest lookup, and `prek clean` before re-verifying (cache grows to several GiB). Forgejo workflow `actions/checkout@v6.0.2` was already at the latest SHA — no change. ## Test plan - [x] `prek run --all-files` passes after `prek clean` - [x] `deploy-fly` workflow builds and deploys the new fly image on merge - [x] `fly status -a blumeops-proxy` healthy after deploy - [x] Spot-check a few mise tasks (`mise run blumeops-tasks`, `mise run docs-check-links`) to confirm pinned deps resolve cleanly Reviewed-on: #344 |
||
|---|---|---|
| .. | ||
| +agent-file-neutralization.ai.md | ||
| +argocd-resource-limits.infra.md | ||
| +blumeops-tasks-due-recurrence.feature.md | ||
| +claude-md-import-agents.ai.md | ||
| +container-build-suggest-runner-logs.misc.md | ||
| +fix-forge-static-assets.bugfix.md | ||
| +frigate-notify-local.infra.md | ||
| +prowler-rebuild-on-main.infra.md | ||
| +remove-devpi-container-build.misc.md | ||
| +review-cc-ephemeral-privileged-jobs.misc.md | ||
| +review-compliance-image-iac.feature.md | ||
| +review-contributing-doc.doc.md | ||
| +review-navidrome-doc.doc.md | ||
| +ringtail-sway-fuzzel.bugfix.md | ||
| +runner-logs-auth.feature.md | ||
| +transmission-doc-review.doc.md | ||
| .gitkeep | ||
| cleanup-cv-docs-minikube-artifacts.misc.md | ||
| dagger-0-20-6-runner-image-alpine.infra.md | ||
| forgejo-runner-v12-8-server-connections.infra.md | ||
| migrate-cv-docs-to-indri.infra.md | ||
| migrate-devpi-to-indri.infra.md | ||
| prowler-iac-mutelist.infra.md | ||
| update-tooling-deps-2026-04.doc.md | ||
| update-tooling-deps-2026-04.infra.md | ||