chore(dagger): align Dagger versions to v0.21.4 and add lint

Bump ci/dagger.json engineVersion, the .forgejo runner Dockerfile, and the
example systemd unit in DAGGER.md from 0.20.8 to 0.21.4 so they match the
running engine and the CLI already pinned by flake.nix.

Add scripts/check_dagger_versions.sh, wired into Taskfile (task
check-dagger-versions) and pre-commit, which fails if the four version
references drift.

Closes #542

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.forgejo/Dockerfile

@@ -18,7 +18,7 @@ RUN curl -fsSL -o /usr/local/bin/sops https://github.com/getsops/sops/releases/d
 
 # Dagger CLI — pinned to match the engine version on the runner host
 RUN curl -fsSL https://dl.dagger.io/dagger/install.sh \
-    | DAGGER_VERSION=0.20.8 BIN_DIR=/usr/local/bin sh
+    | DAGGER_VERSION=0.21.4 BIN_DIR=/usr/local/bin sh
 
 # Task runner
 RUN curl -fsSL https://taskfile.dev/install.sh \

.pre-commit-config.yaml

@@ -53,3 +53,9 @@ repos:
         entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command task check-ci-images'
         pass_filenames: false
         files: ^(ci/main\.go|\.fvmrc)$
+      - id: dagger-versions-aligned
+        name: verify Dagger version is consistent across dagger.json, flake.nix, Dockerfile and DAGGER.md
+        language: system
+        entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && scripts/check_dagger_versions.sh'
+        pass_filenames: false
+        files: ^(ci/dagger\.json|flake\.nix|\.forgejo/Dockerfile|DAGGER\.md)$

DAGGER.md

@@ -39,7 +39,7 @@ WorkingDirectory=/home/dagger-svc
 # Replace 1003 with the actual UID of dagger-svc
 Environment=DOCKER_HOST=unix:///run/user/1003/podman/podman.sock
 Environment=XDG_RUNTIME_DIR=/run/user/1003
-ExecStart=/usr/bin/nix run github:dagger/nix/v0.20.8#dagger -- engine --addr tcp://0.0.0.0:8080
+ExecStart=/usr/bin/nix run github:dagger/nix/v0.21.4#dagger -- engine --addr tcp://0.0.0.0:8080
 Restart=always
 
 [Install]

Taskfile.yml

@@ -712,6 +712,11 @@ tasks:
     cmds:
       - scripts/check_ci_images.sh
 
+  check-dagger-versions:
+    desc: Verify ci/dagger.json, flake.nix, .forgejo/Dockerfile and DAGGER.md pin the same Dagger version
+    cmds:
+      - scripts/check_dagger_versions.sh
+
   _integrations:
     internal: true
     run: once

ci/dagger.json

@@ -1,6 +1,6 @@
 {
   "name": "ci",
-  "engineVersion": "v0.20.8",
+  "engineVersion": "v0.21.4",
   "sdk": {
     "source": "go"
   }

flake.nix

@@ -49,8 +49,10 @@
           '';
         };
 
-        # The dagger/nix flake pins 0.20.8, whose Nix wrapper is a broken self-exec
-        # loop.  Fetch 0.21.4 directly so the pre-commit dart-check hook can run.
+        # The dagger/nix flake's Nix wrapper is a broken self-exec loop, so we
+        # fetch the CLI binary directly.  Keep this version in lockstep with
+        # ci/dagger.json (engineVersion) and .forgejo/Dockerfile (DAGGER_VERSION) —
+        # scripts/check_dagger_versions.sh enforces this.
         dagger021 = pkgs.stdenv.mkDerivation {
           pname = "dagger";
           version = "0.21.4";

scripts/check_dagger_versions.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+# Verify that the Dagger version is consistent across the project.
+#
+# The Dagger CLI must speak the same protocol as the engine it talks to.  We
+# pin the version in four places (engine image in DAGGER.md, the CLI in
+# flake.nix, the CLI in the Forgejo runner Dockerfile, and the module
+# engineVersion in ci/dagger.json).  This script fails if any of them drift.
+set -euo pipefail
+
+ROOT=$(git rev-parse --show-toplevel)
+
+# ci/dagger.json — strip leading "v" for comparison.
+dagger_json=$(grep -oE '"engineVersion"[[:space:]]*:[[:space:]]*"[^"]+"' "$ROOT/ci/dagger.json" \
+  | sed -E 's/.*"v?([^"]+)"$/\1/')
+
+# flake.nix — the dagger021 derivation's CLI download URL.
+flake_nix=$(grep -oE 'dagger_v[0-9]+\.[0-9]+\.[0-9]+_linux' "$ROOT/flake.nix" \
+  | head -n1 \
+  | sed -E 's/dagger_v([0-9.]+)_linux/\1/')
+
+# .forgejo/Dockerfile — DAGGER_VERSION env on the install line.
+dockerfile=$(grep -oE 'DAGGER_VERSION=[0-9]+\.[0-9]+\.[0-9]+' "$ROOT/.forgejo/Dockerfile" \
+  | head -n1 \
+  | cut -d= -f2)
+
+# DAGGER.md — engine image tag in the example systemd unit.
+dagger_md=$(grep -oE 'dagger/nix/v[0-9]+\.[0-9]+\.[0-9]+' "$ROOT/DAGGER.md" \
+  | head -n1 \
+  | sed -E 's@.*/v@@')
+
+printf 'ci/dagger.json    engineVersion = v%s\n' "$dagger_json"
+printf 'flake.nix         dagger021     = %s\n'  "$flake_nix"
+printf '.forgejo/Dockerf. DAGGER_VERSION= %s\n'  "$dockerfile"
+printf 'DAGGER.md         engine tag    = v%s\n' "$dagger_md"
+
+for v in "$flake_nix" "$dockerfile" "$dagger_md"; do
+  if [ -z "$v" ]; then
+    echo "ERROR: failed to parse a Dagger version reference." >&2
+    exit 1
+  fi
+  if [ "$v" != "$dagger_json" ]; then
+    echo "" >&2
+    echo "ERROR: Dagger versions are out of sync." >&2
+    echo "  Align ci/dagger.json, flake.nix, .forgejo/Dockerfile and DAGGER.md to the same version." >&2
+    exit 1
+  fi
+done
+
+echo "Dagger versions aligned (v$dagger_json)."