Update Tooling Dependencies
Monthly maintenance cycle for updating development tooling and CI dependencies. This is separate from review-services, which tracks deployed service versions.
Scope
| Category | Location | What to check |
|---|---|---|
| Pre-commit hooks | .pre-commit-config.yaml | rev: tags for all remote repos |
| Fly.io proxy | fly/Dockerfile | Pinned image tags (nginx, alloy) |
| Mise task scripts | mise-tasks/* | Python # dependencies lower bounds |
| Forgejo workflows | .forgejo/workflows/*.yaml | uses: action versions |
Out of scope: ArgoCD-deployed service images, Ansible role versions, NixOS flake inputs. Those are covered by review-services and manage-lockfile.
Procedure
1. Check pre-commit hook versions
For each repo in .pre-commit-config.yaml with a rev: tag, check the upstream GitHub releases page for a newer tag. Update each rev: to the latest release tag. Also check additional_dependencies entries for PyPI version bumps.
Verify after updating:
uvx pre-commit run --all-files2. Check Fly.io Dockerfile pins
Review fly/Dockerfile for pinned image tags:
- nginx — check Docker Hub for latest stable alpine tag
- grafana/alloy — check GitHub releases
- tailscale/tailscale — uses
stablerolling tag, no action needed
After updating, the deploy-fly workflow will build and deploy on merge to main. Verify with fly status -a blumeops-proxy after deploy.
3. Normalize mise task dependency bounds
Mise tasks use uv run --script with inline PEP 723 dependency metadata. Check that lower bounds are consistent across all scripts:
grep -r 'dependencies' mise-tasks/ | grep '# dependencies'Ensure all scripts using the same package agree on the minimum version. When a package has a new major or breaking minor release, bump the lower bound across all scripts at once.
4. Pin Forgejo workflow action versions
All uses: directives in .forgejo/workflows/*.yaml must reference upstream actions by commit SHA, not mutable tags. This prevents supply-chain attacks where a tag is moved to point at malicious code.
Format: uses: actions/checkout@<full-sha> # v4.3.1
The trailing comment documents the human-readable version. To update:
git ls-remote --tags https://github.com/actions/checkout.git 'refs/tags/v4*' | sort -t/ -k3 -V | tail -5Pick the latest patch tag, note its SHA, and update all occurrences across the workflow files.
5. Commit and create PR
Create a single PR with all dependency bumps. The changelog fragment type is infra.
Notes
- Alloy version gaps: Grafana Alloy releases frequently. Large version jumps (e.g., v1.5 to v1.13) are normal and generally safe — check the changelog for breaking changes in the Alloy River config syntax.
- Ruff minor bumps: Ruff adds new lint rules in minor versions. A bump may surface new warnings. Run
uvx pre-commit run ruff --all-filesto check before committing. - shellcheck bumps: New shellcheck versions may flag previously-ignored patterns. Review any new failures before updating.