chore(images): bump conservatively-pinned tags forward (target-latest policy)

Three Quadlets had been pinned to last-major-line tags by the
2026-05-05 audit's remediation (commit 507a7fa). Probing the
upstream registries with proper bearer-token auth shows newer
stable majors are now published cleanly:

  Ceph:    v18 (Reef)  -> v19 (Squid, current stable line)
            digest sha256:af0c5903e901e329adabe219dfc8d0c3efc1f05102a753902f33ee16c26b6cee
  Forgejo: 11          -> 12 (current major)
            digest sha256:dbb0f88677f0c65cd1b66fb83504225aa5a04c4bc4a5ffdf9fc9a3a6d5bb1c68
  Runner:  6           -> 7 (current major)
            digest sha256:f66c6bed9e8ff5a886cf5b302a52317d8e05c392ddcc8d9f34398142ee2a5822

All three were verified at HEAD against
- quay.io/ceph/ceph:v19
- codeberg.org/forgejo/forgejo:12
- code.forgejo.org/forgejo/runner:7
via the registry's WWW-Authenticate-discovered token endpoint.
Tags resolve, digests recorded.

Touched files:
  - etc/containers/systemd/mios-ceph.container: Image= line + header
    comment now describes Squid-line tracking.
  - etc/containers/systemd/mios-forge.container: Image= line.
  - etc/containers/systemd/mios-forgejo-runner.container: Image= line.
  - automation/lib/globals.{sh,ps1}: MIOS_CONTAINER_FORGE_IMAGE bumped
    so the build orchestrator picks 12 by default if a Quadlet is
    rendered from globals (matches the Quadlet-pinned tag).
  - usr/share/mios/env.defaults: MIOS_CEPH_VERSION/MIOS_CEPH_IMAGE +
    MIOS_FORGE_VERSION/MIOS_FORGE_IMAGE bumped for env-overlay
    consumers (mios-bootstrap, post-deploy bootstrap scripts).
  - automation/manifest.json + tools/manifest.json regenerated.

The audit doc (AUDIT-FINDINGS-20260505.md) is a historical snapshot
and is intentionally NOT rewritten -- 507a7fa's :v18/:11/:6 pins
were correct as of the 2026-05-05 audit; this commit captures the
forward-bump per the target-latest policy.

Why: per project policy, every dependency tracks the newest stable
upstream tag. The audit's conservative pins were safe but bit-rot
the moment upstream cuts a new major; bumping forward keeps the
self-replication loop converging on the leading edge instead of
freezing on a successively older major line.

Author: Kabuki94

automation/lib/globals.ps1

@@ -152,7 +152,7 @@ $script:MIOS_UNIT_USER_SESSION      = "user@$($script:MIOS_UID).service"
 # ── CONTAINERS / DISTROBOX ───────────────────────────────────────────
 $script:MIOS_DISTROBOX_AICHAT           = 'mios-aichat'
 $script:MIOS_CONTAINER_AICHAT_IMAGE     = 'localhost/mios/aichat:latest'
-$script:MIOS_CONTAINER_FORGE_IMAGE      = 'codeberg.org/forgejo/forgejo:11'
+$script:MIOS_CONTAINER_FORGE_IMAGE      = 'codeberg.org/forgejo/forgejo:12'
 $script:MIOS_CONTAINER_LOCALAI_IMAGE    = 'docker.io/localai/localai:latest'
 $script:MIOS_CONTAINER_OLLAMA_IMAGE     = 'docker.io/ollama/ollama:latest'
 

automation/lib/globals.sh

@@ -218,7 +218,7 @@ export MIOS_UNIT_OLLAMA_FIRSTBOOT MIOS_UNIT_WSL_FIRSTBOOT MIOS_UNIT_USER_SESSION
 # ── CONTAINERS / DISTROBOX ───────────────────────────────────────────
 : "${MIOS_DISTROBOX_AICHAT:=mios-aichat}"
 : "${MIOS_CONTAINER_AICHAT_IMAGE:=localhost/mios/aichat:latest}"
-: "${MIOS_CONTAINER_FORGE_IMAGE:=codeberg.org/forgejo/forgejo:11}"
+: "${MIOS_CONTAINER_FORGE_IMAGE:=codeberg.org/forgejo/forgejo:12}"
 : "${MIOS_CONTAINER_LOCALAI_IMAGE:=docker.io/localai/localai:latest}"
 : "${MIOS_CONTAINER_OLLAMA_IMAGE:=docker.io/ollama/ollama:latest}"
 

automation/manifest.json

@@ -2,7 +2,11 @@
 # Minimal Ceph monitor for storage orchestration.
 #
 # Image tag: bootstrap overrides this with the site-specific Ceph version.
-# v18 (Reef) is the 'MiOS' default stable branch tag -- less mutable than :latest.
+# v19 (Squid) is the 'MiOS' default stable branch tag -- the current upstream
+# stable line. v18 (Reef) is still supported but Squid is the active release;
+# we track the newest stable per the "target latest" policy. The pinned digest
+# below freezes the build-time snapshot; the floating :v19 tag in the ref is
+# what the configurator HTML / mios.toml override should point at.
 # Ceph and K3s run as root (uid 0) by necessity: Ceph requires privileged
 # storage access; both are documented architectural exceptions to UNPRIVILEGED-EXECUTION.
 
@@ -18,7 +22,7 @@ ConditionPathExists=/etc/ceph/ceph.conf
 ConditionVirtualization=!container
 
 [Container]
-Image=quay.io/ceph/ceph:v18@sha256:69cbef90eb58cf96e572e7497227a2bcb0ec9175bc2247809c0a37857db9b820
+Image=quay.io/ceph/ceph:v19@sha256:af0c5903e901e329adabe219dfc8d0c3efc1f05102a753902f33ee16c26b6cee
 ContainerName=mios-ceph
 Network=mios.network
 Volume=/var/lib/ceph:/var/lib/ceph:Z

etc/containers/systemd/mios-ceph.container

@@ -26,7 +26,7 @@ ConditionVirtualization=|!container
 ConditionVirtualization=|wsl
 
 [Container]
-Image=codeberg.org/forgejo/forgejo:11@sha256:1d5f7d9e7ec970b50d5817317c3ec86d4aabb10893c5dea2e9dd4f8c3470a09c
+Image=codeberg.org/forgejo/forgejo:12@sha256:dbb0f88677f0c65cd1b66fb83504225aa5a04c4bc4a5ffdf9fc9a3a6d5bb1c68
 ContainerName=mios-forge
 Network=mios.network
 # 3000 = web UI (reverse-proxy via Cockpit/Caddy if desired).

etc/containers/systemd/mios-forge.container

@@ -45,7 +45,7 @@ ConditionVirtualization=|!container
 ConditionVirtualization=|wsl
 
 [Container]
-Image=code.forgejo.org/forgejo/runner:6@sha256:e8dd2880f2fc81984d2308b93f1bc064dfb41187942300676536c09a3b30043d
+Image=code.forgejo.org/forgejo/runner:7@sha256:f66c6bed9e8ff5a886cf5b302a52317d8e05c392ddcc8d9f34398142ee2a5822
 ContainerName=mios-forgejo-runner
 Network=mios.network
 

etc/containers/systemd/mios-forgejo-runner.container

@@ -1,5 +1,5 @@
 {
-  "generated_at": "2026-05-05T20:36:53.037914",
+  "generated_at": "2026-05-05T22:01:05.681834",
   "source_directory": "tools",
   "entries": [
     {

tools/manifest.json

@@ -40,10 +40,10 @@ MIOS_LOCALAI_VERSION="v2.20.0"
 MIOS_LOCALAI_IMAGE="localai/localai:v2.20.0"
 MIOS_K3S_VERSION="v1.32.1-k3s1"
 MIOS_K3S_IMAGE="rancher/k3s:v1.32.1-k3s1"
-MIOS_CEPH_VERSION="v18"
-MIOS_CEPH_IMAGE="quay.io/ceph/ceph:v18"
-MIOS_FORGE_VERSION="11"
-MIOS_FORGE_IMAGE="codeberg.org/forgejo/forgejo:11"
+MIOS_CEPH_VERSION="v19"
+MIOS_CEPH_IMAGE="quay.io/ceph/ceph:v19"
+MIOS_FORGE_VERSION="12"
+MIOS_FORGE_IMAGE="codeberg.org/forgejo/forgejo:12"
 MIOS_FORGE_HTTP_PORT="3000"
 MIOS_FORGE_SSH_PORT="2222"