| name | upgrade-tools |
| description | Upgrade every pinned tool and dependency (mise, go.mod, pyproject.toml, GitHub Actions, dprint, ...) to latest stable, one ecosystem at a time with validation. Use when bumping a repo's toolchain or dependencies. |
| metadata | {"author":"Médéric HURIER (Fmind)","source":"github.com/fmind/dotfiles/tree/main/skills/upgrade-tools","created":"2026-07-05T00:00:00.000Z","updated":"2026-07-06T00:00:00.000Z"} |
Upgrade Tools & Dependencies
Bump every pinned tool and dependency in a repository to its latest stable version, one ecosystem at a time, validating after each so a bad bump is caught immediately. Covers the manifests this repo uses: mise tool pins, Go modules, Python (pyproject.toml), OpenTofu/Terraform config, container images, GitHub Actions, and dprint plugins.
Principles
- Latest stable only: no RCs/betas/pre-releases (except tools intentionally range-pinned pre-1.0, e.g.
ty>=0.0.51,<0.1).
- One ecosystem at a time: upgrade →
mise run check + mise run test → commit. Never bump everything then debug a wall of failures.
- Lockfiles are the record: commit
mise.lock, go.sum, uv.lock, .terraform.lock.hcl. The manifest says "latest"; the lockfile says "which latest".
- Validate, don't trust: an upgrade isn't done until
mise run check and mise run test pass. A green pre-existing baseline makes regressions obvious.
- Respect semver majors:
go get -u / uv lock --upgrade stay within declared majors; a major bump is a deliberate, separately-reviewed change.
Per-Manifest Playbook
mise — tool versions (mise.toml, mise.lock)
Pins usually read latest; the lockfile pins the resolved version. Bump both:
mise upgrade --bump
mise lock
This repo orchestrates home + repo configs in one task — see the top-level mise run upgrade (bumps ~/.config/mise and the repo, re-locks, applies, reinstalls). Commit the updated dot_config/mise/mise.lock.
Go — modules & tools (go.mod, go.sum)
go get -u ./...
go get -u tool
go mod tidy
Bump the go directive when a newer stable toolchain ships (go 1.NN.P). Validate with mise run check (golangci-lint + govulncheck) and mise run test. See go-stack.
Python — dependencies (pyproject.toml, uv.lock)
uv lock --upgrade
uv sync
Raise requires-python and dependency floors only when you rely on a newer feature; keep pre-1.0 tools range-pinned. To bump constraints inside pyproject.toml, run uv add <package>@latest or update the dependency array manually. Validate with mise run check + mise run test. See python-stack.
OpenTofu / Terraform — providers & modules (.terraform.lock.hcl)
tofu init -upgrade
tofu providers lock -platform=linux_amd64 -platform=darwin_arm64
Validate with tofu validate and tflint. Scan configuration with trivy config (see security-scan).
Container Images — base image pins (Dockerfile)
Locate the latest stable digest for your pinned base images (e.g., from Chainguard Images or Docker Hub) and update the tag/digest references:
FROM python:3.14-slim
Validate by rebuilding the image (mise run build:image) and scanning (mise run check:image or trivy image). See containerize.
GitHub Actions — workflow pins (.github/workflows/*.yml)
Pin third-party actions by full commit SHA (supply-chain safety) and bump the SHA on release; keep first-party actions (actions/checkout, jdx/mise-action) at the latest major. Automate with pinact run or Dependabot (.github/dependabot.yml, package-ecosystem: github-actions). Validate with actionlint. See github-actions.
dprint — formatter plugins (dprint.json / dprint.jsonc)
dprint config update
Run for each config (root and nested extends). Validate with dprint check. See dprint.
Other ecosystems
Same shape — bump, then re-lock, then validate:
- Node: use
npx npm-check-updates -u or pnpm update --latest to bump package.json constraints, then re-lock (npm install / pnpm install / pnpm update).
- Rust:
cargo update → commit Cargo.lock. Use cargo upgrade (from cargo-edit) to bump constraints in Cargo.toml.
- Agent skills:
skills update -g -y (this repo: mise run skills).
Validate & Commit
- After each ecosystem, run
mise run check and mise run test (or the repo's equivalents); for config/markup, dprint check.
- Run the full hook suite once at the end:
lefthook run pre-commit --all-files then lefthook run pre-push --all-files.
- Commit lockfiles alongside manifests, one Conventional Commit per ecosystem —
chore(deps): upgrade <ecosystem> to latest (see conventional-commit).
- CI re-runs the same
mise run tasks, so a green PR means the upgrade is reproducible.
Documentation