build: pin local + CI tool versions in .tool-versions (#157) #158
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!158
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "157-pin-tool-versions"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #157.
Summary
.tool-versionsat repo root pinsnode,gitleaks, andactionlint.actions/setup-nodereads it vianode-version-file; gitleaksmise install.misemanager (human-review per ADR-0025) handles bumps.Behavior changes worth flagging
node-version: "22"(resolves to latest22.x at install time) becomes
node 22.23.0— the current 22-LTS head.Runs are now reproducible; Renovate proposes patch bumps deliberately.
After
mise install, local matches CI.GITLEAKS_VERSIONandACTIONLINT_VERSIONworkflow envs are gone; the ~10 duplicatednode-version: "22"literals inpr.yml+secrets.ymlcollapse toone source.
mise can still install via brew — the hook still fires; CI is
authoritative if versions drift.
Design rationale
In ADR-0025:
.tool-versionsand notmise.toml(setup-node reads.tool-versionsnatively;mise.tomlit does not — same file feeds both).setup-nodeinstead of mise-shimmed node in CI (setup-node'snpm-cache restore is worth keeping).
package.jsonengines.Files
.tool-versions— the new pin file.forgejo/workflows/{pr,secrets}.yml— read versions from.tool-versionslefthook.yml— hint messages lead with miseREADME.md"Requirements" — leads with mise, brew as fallbackCLAUDE.md— one-line pointer under "Working in this repo"docs/adr/0025-tool-versions-pin.md+docs/adr/README.md— design docrenovate.json—misemanager rule, human-review labelTest plan
static-analysis with actionlint, secrets/gitleaks all succeed
reading versions from
.tool-versions)git commitaftermise install(alreadyverified for this commit — gitleaks + actionlint + commit-msg
passed)
mise installfrom.tool-versionsinstalls node 22.23.0, gitleaks 8.30.1, actionlint 1.7.12
.tool-versions(#157)Trivy (container image)
Threshold:
high· Total findings: 121 · At/above threshold: 16.27.0, 7.28.0, 8.5.0📊 Test coverage
Patch coverage: no testable lines changed.
Overall (
app/,lib/,db/, excluding UI per ADR-0019):Soft thresholds per ADR-0019. Coverage is informational and does not block merge.
760ae3bbbaccfdde2490