From 7b21b12e77c2022127c11265152d1efa5e81bdff Mon Sep 17 00:00:00 2001 From: Cameron Smith Date: Mon, 16 Feb 2026 13:20:59 -0500 Subject: [PATCH 1/3] refactor(justfile): align release-package recipe with vanixiets pattern Replace bun run delegation with direct npx semantic-release invocation. Remove inline bun install (CI handles this in a dedicated step). Remove redundant unset GITHUB_ACTIONS (--dry-run --no-ci suffices). Fix production path which referenced nonexistent bun run release script. --- justfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/justfile b/justfile index fc0c6b5..a150151 100644 --- a/justfile +++ b/justfile @@ -735,12 +735,12 @@ preview-version base-branch package-path: release-package package-name dry-run="false": #!/usr/bin/env bash set -euo pipefail - bun install + cd packages/{{package-name}} if [ "{{dry-run}}" = "true" ]; then - unset GITHUB_ACTIONS - cd packages/{{package-name}} && bun run test-release -- -b main + npx semantic-release --dry-run --no-ci else - cd packages/{{package-name}} && bun run release + echo "This will create a real release. Use dry_run=true for testing." + npx semantic-release fi # Update version for a specific package across all relevant files From 79a48757138f6586f34e63d654b05e202458e418 Mon Sep 17 00:00:00 2001 From: Cameron Smith Date: Mon, 16 Feb 2026 13:21:42 -0500 Subject: [PATCH 2/3] refactor(ci): replace cycjimmy/semantic-release-action with direct invocation Unify dry-run and production release paths into a single step that delegates to just release-package, matching the vanixiets pattern. Add bun install step for dependency installation and git-based release info extraction step for version/tag/released outputs. Eliminates version mismatch where the action pinned semantic-release v24 while package.json declared ^25.0.0. --- .github/workflows/package-release.yaml | 67 +++++++++++++++----------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/.github/workflows/package-release.yaml b/.github/workflows/package-release.yaml index e0d4c3a..4656d92 100644 --- a/.github/workflows/package-release.yaml +++ b/.github/workflows/package-release.yaml @@ -135,9 +135,9 @@ jobs: id-token: write outputs: artifact-name: ${{ steps.set-outputs.outputs.artifact-name }} - version: ${{ steps.semantic-release.outputs.new_release_version || inputs.version }} - released: ${{ steps.semantic-release.outputs.new_release_published || 'false' }} - tag: ${{ steps.semantic-release.outputs.new_release_git_tag }} + version: ${{ steps.release-info.outputs.version || inputs.version }} + released: ${{ steps.release-info.outputs.released || 'false' }} + tag: ${{ steps.release-info.outputs.tag }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -162,31 +162,40 @@ jobs: installer: quick system: x86_64-linux - - name: Test semantic-release (dry-run) - if: steps.cache.outputs.should-run == 'true' && inputs.release-dry-run == 'true' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - nix develop --accept-flake-config -c just release-package ${{ inputs.package-name }} true + - name: Install dependencies + if: steps.cache.outputs.should-run == 'true' + run: nix develop --accept-flake-config -c bun install - name: Run semantic-release id: semantic-release - if: steps.cache.outputs.should-run == 'true' && inputs.release-dry-run != 'true' - uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # ratchet:cycjimmy/semantic-release-action@v4 - with: - working_directory: ${{ inputs.package-path }} - dry_run: false - semantic_version: 24 - extra_plugins: | - @semantic-release/changelog - semantic-release-major-tag - semantic-release-monorepo - conventional-changelog-conventionalcommits - ci: true + if: steps.cache.outputs.should-run == 'true' env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + nix develop --accept-flake-config -c just release-package ${{ inputs.package-name }} ${{ inputs.release-dry-run }} + + - name: Extract release info + if: always() + id: release-info + run: | + if [ "${{ inputs.release-dry-run }}" = "false" ]; then + LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "") + if [ -n "$LATEST_TAG" ]; then + VERSION=$(echo "$LATEST_TAG" | grep -oP '\d+\.\d+\.\d+' || echo "unknown") + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "released=true" >> $GITHUB_OUTPUT + echo "tag=$LATEST_TAG" >> $GITHUB_OUTPUT + else + echo "version=unknown" >> $GITHUB_OUTPUT + echo "released=false" >> $GITHUB_OUTPUT + echo "tag=" >> $GITHUB_OUTPUT + fi + else + echo "version=unknown" >> $GITHUB_OUTPUT + echo "released=false" >> $GITHUB_OUTPUT + echo "tag=" >> $GITHUB_OUTPUT + fi - name: Set outputs id: set-outputs @@ -195,15 +204,15 @@ jobs: ARTIFACT_NAME="${{ inputs.package-name }}-${{ github.run_id }}" echo "artifact-name=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT" - if [ "${{ steps.semantic-release.outputs.new_release_published }}" == "true" ]; then - echo "Package ${{ inputs.package-name }} released version ${{ steps.semantic-release.outputs.new_release_version }}" - echo "Tag: ${{ steps.semantic-release.outputs.new_release_git_tag }}" + if [ "${{ steps.release-info.outputs.released }}" == "true" ]; then + echo "Package ${{ inputs.package-name }} released version ${{ steps.release-info.outputs.version }}" + echo "Tag: ${{ steps.release-info.outputs.tag }}" else echo "No release needed for ${{ inputs.package-name }}" fi - name: Build package - if: steps.cache.outputs.should-run == 'true' && inputs.build-wheels != 'true' && (steps.semantic-release.outputs.new_release_published == 'true' || inputs.release-dry-run == 'true') + if: steps.cache.outputs.should-run == 'true' && inputs.build-wheels != 'true' && (steps.release-info.outputs.released == 'true' || inputs.release-dry-run == 'true') working-directory: ${{ inputs.package-path }} run: | nix develop --accept-flake-config -c uv build @@ -213,14 +222,14 @@ jobs: if: ${{ inputs.debug-enabled }} - name: Upload artifacts - if: steps.cache.outputs.should-run == 'true' && inputs.build-wheels != 'true' && (steps.semantic-release.outputs.new_release_published == 'true' || inputs.release-dry-run == 'true') + if: steps.cache.outputs.should-run == 'true' && inputs.build-wheels != 'true' && (steps.release-info.outputs.released == 'true' || inputs.release-dry-run == 'true') uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: ${{ steps.set-outputs.outputs.artifact-name }} path: ${{ inputs.package-path }}/dist - name: Publish to PyPI - if: steps.cache.outputs.should-run == 'true' && inputs.build-wheels != 'true' && steps.semantic-release.outputs.new_release_published == 'true' && inputs.release-dry-run != 'true' + if: steps.cache.outputs.should-run == 'true' && inputs.build-wheels != 'true' && steps.release-info.outputs.released == 'true' && inputs.release-dry-run != 'true' working-directory: ${{ inputs.package-path }} run: nix develop --accept-flake-config -c uv publish env: From 067fed14c1dbf7433b160ab3be10bee2fe9666cf Mon Sep 17 00:00:00 2001 From: Cameron Smith Date: Mon, 16 Feb 2026 13:21:49 -0500 Subject: [PATCH 3/3] chore(beads): sync --- .beads/issues.jsonl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.beads/issues.jsonl b/.beads/issues.jsonl index fcb8cde..4196be9 100644 --- a/.beads/issues.jsonl +++ b/.beads/issues.jsonl @@ -42,7 +42,7 @@ {"id":"pnt-pzl","title":"Evaluate pkgs-by-name-for-flake-parts adoption for package auto-discovery","description":"Vanixiets uses pkgs-by-name-for-flake-parts for automatic package discovery from pkgs/by-name/. Python-nix-template currently hard-codes package paths in modules/python.nix, requiring manual updates for each new package.\n\nDirect adoption is feasible but python-nix-template packages need Python-specific overlay composition (crane integration, maturin compatibility, editable overlay exclusion). Requires designing a Python-aware discovery layer or adapting the pkgs-by-name pattern to emit overlays rather than standalone derivations.\n\nThis is architectural preparation for multi-package growth. Lower priority than cache and follows fixes.","status":"closed","priority":3,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-03T15:48:39.744987-05:00","created_by":"Cameron Smith","updated_at":"2026-02-03T18:07:32.63938-05:00","closed_at":"2026-02-03T18:07:32.63938-05:00","close_reason":"Won't-fix: pkgs-by-name auto-discovery is incompatible with uv2nix overlay composition model. Packages are overlays composed into a shared set, not standalone derivations. Two-file Rust pattern (rust.nix + default.nix) also incompatible with single-file-per-package structure."} {"id":"pnt-rvh","title":"Align renovate config with ecosystem conventions","description":"Migrate .github/renovate.json from minimal config:base to full ecosystem pattern matching typescript-nix-template and ironstar. Subsumes Renovate auto-migration PR #69.","status":"closed","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-12T15:49:19.073091-05:00","created_by":"Cameron Smith","updated_at":"2026-02-12T15:53:21.231244-05:00","closed_at":"2026-02-12T15:53:21.231244-05:00","close_reason":"Implemented in cbf07c5"} {"id":"pnt-wbq","title":"Cross-compile and release pnt-cli wheels for all major platforms via crane pkgsCross","description":"Build and release platform-specific Python wheels for pnt-cli (PyO3/maturin package with Rust extension modules) across all four major targets: x86_64-linux, aarch64-linux, x86_64-darwin, aarch64-darwin.\n\nCurrent state: pnt-cli builds and tests on a single platform via hand-rolled crane + maturin + uv2nix overlay composition (nix/packages/pnt-cli/rust.nix and default.nix). It has never been released. semantic-release is configured in packages/pnt-cli/package.json but predicts no pending release.\n\nResearch findings: Nix pkgsCross is not viable for PyPI wheel distribution. No project in the ecosystem uses Nix cross-compilation to produce manylinux-compatible wheels. The industry standard is GitHub Actions + maturin-action with manylinux containers for Linux and native runners for macOS. crane-maturin (vlaci/crane-maturin) provides a thin wrapper over crane that eliminates hand-rolled boilerplate for maturin builds.\n\nScope (three phases):\n\nPhase A — crane-maturin refactor (no new capabilities):\n- Add vlaci/crane-maturin as flake input (pinned)\n- Replace nix/packages/pnt-cli/rust.nix + default.nix with single buildMaturinPackage call via mkLib\n- Update modules/python.nix overlay composition to use crane-maturin's output pattern\n- Verify nix flake check and nix develop -c pytest pass for all 3 packages\n- Benefit: automatic two-phase cargo caching, PYO3_PYTHON handling, passthru.tests (pytest, clippy, doc, fmt, test, audit)\n\nPhase B — CI wheel build workflow (new capability):\n- New workflow: .github/workflows/wheel-build.yaml\n- Matrix: linux-x86_64, linux-aarch64, macos-x86_64, macos-aarch64\n- Linux: maturin-action with manylinux: auto (pure Rust, no custom containers needed)\n- macOS: native runners (macos-15 for arm64)\n- Python 3.12 only (template users extend as needed)\n- Artifact upload per platform\n- Concrete for pnt-cli but with clear parameterization points (package name, maturin args as workflow variables)\n\nPhase C — release pipeline:\n- Coordinate with existing package-release.yaml\n- Trigger: semantic-release creates tag → dispatches wheel builds → collects artifacts\n- Publish to PyPI via uv publish with trusted publishing (OIDC)\n- Include sdist alongside wheels\n- Existing packages/pnt-cli/package.json semantic-release config drives versioning\n\nReference implementations:\n- ~/projects/nix-workspace/crane-maturin — vlaci/crane-maturin source (mkLib API, buildMaturinPythonPackage.nix)\n- ~/projects/nix-workspace/pyperscan-uses-crane-maturin — flake.nix overlay pattern, CI workflow structure\n- pydantic-core, polars, cryptography — industry standard maturin-action CI patterns\n\nOut of scope:\n- Nix cross-build outputs (nix build .#packages.aarch64-linux.pnt-cli from x86_64-linux) — separate concern\n- Multiple Python version matrix — start with 3.12, extend later\n- omnix template parameterization — edit-in-place customization","status":"closed","priority":3,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-02T23:00:13.965286-05:00","created_by":"Cameron Smith","updated_at":"2026-02-04T15:21:02.210086-05:00","closed_at":"2026-02-04T15:21:02.210086-05:00","close_reason":"Implemented across phases A (60894ef), B (b4e9a4c), C (a2b936d, b7441d5).\n\nPhase A: crane-maturin + nixpkgsPrebuilt eliminates dual Rust compilation.\nPhase B: wheel-build.yaml with maturin-action matrix (4 platforms + sdist).\nPhase C: package-release.yaml gains build-wheels pipeline with OIDC trusted publishing.\n\nActivation prerequisites (operational, not code):\n1. Configure PyPI trusted publishing for package-release.yaml workflow in pypi environment\n2. Consider adding @semantic-release/git to pnt-cli package.json to update pyproject.toml version before wheel builds","dependencies":[{"issue_id":"pnt-wbq","depends_on_id":"pnt-5vr","type":"discovered-from","created_at":"2026-02-02T23:00:28.588784-05:00","created_by":"Cameron Smith"}],"comments":[{"id":8,"issue_id":"pnt-wbq","author":"Cameron Smith","text":"Checkpoint: Phase A complete, Phase B in progress\n\nDone (Phase A — crane-maturin refactor):\n- Moved Cargo workspace root from packages/pnt-cli/crates/ to packages/pnt-cli/ so pyproject.toml and Cargo.toml share the same src root (required by crane-maturin)\n- Added vlaci/crane-maturin as pinned flake input\n- Replaced rust.nix + default.nix with single crane-maturin integration in default.nix\n- Overlay uses hybrid approach: augments uv2nix base via overrideAttrs (preserving pyproject-nix resolver metadata for devShell) while pulling cargoVendorDir and passthru.tests from crane-maturin's standalone buildMaturinPackage\n- nix flake check passes with expanded test suite: pnt-cli-{clippy,doc,fmt,pytest,test(nextest)}\n- nix develop -c python confirms native module loads correctly\n- 3 clean atomic commits: Cargo restructure, flake input, crane-maturin refactor\n\nKey learning:\n- crane-maturin's buildMaturinPackage cannot directly replace the uv2nix overlay entry because pyproject-nix's resolveVirtualEnv needs passthru.dependencies metadata that buildPythonPackage does not produce\n- The hybrid approach works: crane-maturin for standalone build + test suite, uv2nix overrideAttrs for the overlay entry with crane's cargoVendorDir injected via preBuild\n- crane-maturin's `pname` parameter silences crane workspace name warnings\n\nRemaining (Phase B + C):\n- Phase B: wheel-build.yaml with maturin-action matrix (linux + macOS, Python 3.12)\n- Phase C: release pipeline coordination with package-release.yaml\n\nBranch: pnt-wbq-cross-compile-wheels (3 commits ahead of pnt-5vr-nix2container)","created_at":"2026-02-04T18:43:17Z"},{"id":9,"issue_id":"pnt-wbq","author":"Cameron Smith","text":"Checkpoint: nixpkgsPrebuilt refactor complete, Phase B pending\n\nDone (Phase A continued):\n- Replaced overrideAttrs overlay with pyproject-nix hacks.nixpkgsPrebuilt\n- Eliminates dual Rust compilation: crane-maturin builds once, nixpkgsPrebuilt adapts for uv2nix resolver\n- Added workspace.metadata.crane.name to silence placeholder warnings\n- Validated: nix flake check (6/6), nix develop -c pytest (2/2), nix build .#default all pass\n- Confirmed nixpkgsPrebuilt preserves passthru.dependencies for mkVirtualEnv\n\nKey learning:\n- pyproject-nix's hacks.nixpkgsPrebuilt is the correct adapter between nixpkgs buildPythonPackage outputs and pyproject-nix package sets\n- The previous overrideAttrs approach compiled Rust twice (once in cmPackage, once in the overlay via pyprojectHook + maturin)\n- nixpkgsPrebuilt strips nixpkgs propagation/wrapping and copies site-packages, taking passthru from prev\n- Cargo workspace-only root pattern (no [package] in root Cargo.toml) works with crane-maturin via manifest-path in pyproject.toml\n\nRemaining (Phase B + C):\n- Phase B: wheel-build.yaml with maturin-action matrix (linux + macOS, Python 3.12)\n- Phase C: release pipeline coordination with package-release.yaml\n\nBranch: pnt-wbq-cross-compile-wheels (4 commits ahead of pnt-yty-cloudflare-docs-alignment)","created_at":"2026-02-04T20:06:38Z"},{"id":10,"issue_id":"pnt-wbq","author":"Cameron Smith","text":"Phase B + C complete\n\nDone (Phase B — wheel-build workflow):\n- Created .github/workflows/wheel-build.yaml with maturin-action\n- Matrix: linux-x86_64 (ubuntu-latest), linux-aarch64 (ubuntu-24.04-arm), macos-x86_64 (macos-15-intel), macos-aarch64 (macos-15)\n- Callable via workflow_dispatch + workflow_call for release pipeline integration\n- Builds sdist + 4 platform wheels, uploads as artifacts (wheels-* pattern)\n- PACKAGE_PATH env var as template customization point\n\nDone (Phase C — release pipeline integration):\n- Added build-wheels input to package-release.yaml (follows build-images pattern)\n- When build-wheels=true: skips single-platform uv build/publish, calls wheel-build.yaml with release tag, then publishes all artifacts via uv publish --trusted-publishing always (OIDC)\n- Added pnt-cli to ci.yaml release-packages matrix with build-wheels: true\n- Existing pure Python packages unaffected (python-nix-template, pnt-functional use existing uv build path)\n\nNote: PyPI trusted publishing requires configuring the OIDC trust relationship on PyPI for the publish-wheels job (environment: pypi). pnt-cli's package.json lacks @semantic-release/git so pyproject.toml version is not updated by semantic-release — this is a pre-existing concern for all packages.\n\nBranch: pnt-wbq-cross-compile-wheels (4 new commits)","created_at":"2026-02-04T20:20:07Z"},{"id":11,"issue_id":"pnt-wbq","author":"Cameron Smith","text":"Post-closure session: release pipeline hardening\n\nInvestigated CI run 21687459543 where all preview-release-version jobs\nfailed silently. Root cause: the preview-version justfile recipe ran\nsemantic-release directly on the PR branch without merge simulation,\nso semantic-release rejected the non-release branch.\n\nImplemented four components to fix the release pipeline:\n\n1. Ported scripts/preview-version.sh from vanixiets (merge simulation\n via git merge-tree, worktree, temporary ref updates, yarn instead\n of bun, GITHUB_OUTPUT integration)\n\n2. Removed @semantic-release/git from all package.json files and\n package-release.yaml. Adopted pre-merge version bump pattern:\n developer runs just update-version \u003cpkg\u003e \u003cver\u003e as part of the PR.\n\n3. Added version consistency check step to preview-release-version CI\n job. Compares previewed next version against pyproject.toml (and\n Cargo.toml for maturin packages). Fails with actionable message.\n\n4. Added just update-version recipe: per-package aware, handles\n pyproject.toml [project] + [tool.pixi.package], Cargo.toml\n [workspace.package] for maturin packages, runs uv lock.\n\nFixed three CI issues during iteration:\n- yarn.lock out of sync after removing @semantic-release/git\n- ANSI escape codes contaminating version string comparison\n- PyO3 0.23.5 incompatible with Python 3.14 on macos-15 runners\n (pinned to 3.11/3.12 via setup-python + maturin -i flags)\n\nCreated pnt-cli-v0.0.0 base tag on main for semantic-release.\nCommitted wheel-build.yaml to main and rebased feature branch.\nWheel build run 21693930817 triggered for validation.\n\nCommits: 51b2455..6b5ff56 (feature branch, post-rebase)","created_at":"2026-02-05T01:10:45Z"}]} -{"id":"pnt-wl6","title":"Audit and modernize justfile recipes","description":"Systematic review of all justfile recipes (91 total across 10 groups) to ensure each is functional, correctly grouped, and up-to-date with the current project structure. Recipes should work correctly for all template instantiation variants (single-package, monorepo, with/without pyo3). Cross-cutting concerns include hardcoded repo references, pnt-cli defaults in optional groups, CI/CD group overload, and emoji usage in recipe output.","status":"open","priority":2,"issue_type":"epic","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:03:10.207237-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:03:10.207237-05:00"} +{"id":"pnt-wl6","title":"Audit and modernize justfile recipes","description":"Systematic review of all justfile recipes (91 total across 10 groups) to ensure each is functional, correctly grouped, and up-to-date with the current project structure. Recipes should work correctly for all template instantiation variants (single-package, monorepo, with/without pyo3). Cross-cutting concerns include hardcoded repo references, pnt-cli defaults in optional groups, CI/CD group overload, and emoji usage in recipe output.","status":"in_progress","priority":2,"issue_type":"epic","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:03:10.207237-05:00","created_by":"Cameron Smith","updated_at":"2026-02-16T13:20:36.037845-05:00"} {"id":"pnt-wl6.1","title":"CI/CD group: audit and restructure recipes","description":"Review and restructure the CI/CD recipe group (23 recipes). This is the largest and most overloaded group, containing at least 4 distinct concerns that should be evaluated for regrouping.\n\nRecipes to evaluate:\n- ci-build-category, list-packages-json, ci-sync, ci-lint, ci-test, ci-typecheck, ci-check (CI matrix and per-package CI)\n- scan-secrets, scan-staged, pre-commit (code quality gates)\n- gcloud-context, ghvars, ghsecrets (infrastructure configuration)\n- list-workflows, test-docs-build, test-docs-deploy (act-based local testing)\n- gh-docs-build, gh-workflow-status, gh-docs-watch, gh-docs-logs, gh-docs-rerun, gh-docs-cancel (GitHub workflow management)\n\nKnown concerns:\n- ghvars and ghsecrets hardcode repo as sciexp/python-nix-template; should derive dynamically or accept parameter without default\n- gh-docs-* recipes (6 recipes) are docs-workflow-specific but live in CI/CD; consider moving to docs group or creating a workflows group\n- ci-sync/ci-lint/ci-test/ci-typecheck/ci-check duplicate Python group recipes with uv run prefix; clarify when to use which\n- gcloud-context recipe references GCP_PROJECT_NAME env var but may be stale\n- list-workflows depends on act which may not be in all devshells\n\nDone means: each recipe tested or removed, group split if warranted, hardcoded values parameterized, descriptions updated.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:03:21.926844-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:03:21.926844-05:00","dependencies":[{"issue_id":"pnt-wl6.1","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:03:21.927598-05:00","created_by":"Cameron Smith"}]} {"id":"pnt-wl6.10","title":"Template group: audit and update recipes","description":"Review the Template recipe group (2 recipes).\n\nRecipes to evaluate:\n- template-init, template-verify\n\nKnown concerns:\n- template-init just echoes a command rather than executing it; consider making it executable or documenting why it is echo-only\n- template-init hardcodes omnix version v1.3.2 and github:sciexp/python-nix-template; should be parameterized or use a variable\n- template-verify uses om init which requires omnix; verify om is in devshell\n- template-verify creates tmp-verify-template directory; verify cleanup works if nix flake check fails (no trap)\n- Group is small; may need minimal changes\n\nDone means: each recipe tested, hardcoded values parameterized, cleanup robustness verified.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:04:34.025883-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:04:34.025883-05:00","dependencies":[{"issue_id":"pnt-wl6.10","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:04:34.026569-05:00","created_by":"Cameron Smith"}]} {"id":"pnt-wl6.11","title":"Remove emoji characters from justfile recipe output","description":"Multiple recipes across the justfile use emoji characters in their output messages. This contradicts the project style conventions which prohibit emoji usage.\n\nAffected recipes (non-exhaustive):\n- validate-secrets: uses checkmark and cross emojis\n- sops-init: uses checkmark emoji\n- sops-add-key: uses checkmark, warning, and cross emojis\n- set-secret: uses checkmark emoji\n- rotate-secret: uses checkmark emoji\n- gcp-enable-drive-api: uses checkmark and warning emojis\n- gcp-sa-create: uses checkmark emoji\n- gcp-sa-storage-user: uses checkmark and warning emojis\n- gcp-sa-key-encrypt: uses checkmark emoji\n- gcp-sa-key-delete: uses checkmark emoji\n- updatekeys: uses checkmark emoji\n- export-secrets: writes comment header\n- conda-check: uses ANSI color code (green) for success message\n- data-sync: uses checkmark emoji\n\nReplace with plain text status indicators (e.g., 'OK', 'PASS', 'FAIL', 'WARN') or remove decorative output entirely.\n\nDone means: no emoji characters remain in justfile, output messages use plain text.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:04:43.267932-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:04:43.267932-05:00","dependencies":[{"issue_id":"pnt-wl6.11","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:04:43.268585-05:00","created_by":"Cameron Smith"}]} @@ -54,7 +54,7 @@ {"id":"pnt-wl6.4","title":"Docs group: audit and update recipes","description":"Review the Docs recipe group (10 recipes).\n\nRecipes to evaluate:\n- docs-extensions, docs-reference, docs-build, docs-local, docs-check, docs-dev, docs-deploy, docs-preview-deploy, data-sync, docs-sync\n\nKnown concerns:\n- docs-build depends on data-sync which requires DVC setup with GCP service account; this hard dependency means docs cannot be built without DVC configuration\n- data-sync and docs-sync both decrypt vars/dvc-sa.json and use uvx with dvc-gdrive,dvc-gs; consider whether DVC should be optional for docs builds\n- docs-dev and docs-deploy use bunx wrangler; verify bun/wrangler are in devshell\n- docs-preview-deploy uses wrangler versions upload with preview alias\n- docs-extensions runs quarto add which modifies project files; may not be idempotent\n\nDone means: each recipe tested, DVC dependency evaluated for optionality, prerequisites documented, tools verified in devshell.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:03:46.393111-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:03:46.393111-05:00","dependencies":[{"issue_id":"pnt-wl6.4","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:03:46.393789-05:00","created_by":"Cameron Smith"}]} {"id":"pnt-wl6.5","title":"Nix group: audit and update recipes","description":"Review the Nix recipe group (4 recipes).\n\nRecipes to evaluate:\n- dev, flake-check, flake-update, ci\n\nKnown concerns:\n- ci recipe runs om ci (omnix); verify om is in devshell\n- flake-check is a comprehensive script that iterates all checks; verify it handles failures gracefully\n- dev recipe just runs nix develop which is redundant if user is already in direnv-managed shell\n- Group is small and clean; may need minimal changes\n\nDone means: each recipe tested, tools verified in devshell.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:03:52.621765-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:03:52.621765-05:00","dependencies":[{"issue_id":"pnt-wl6.5","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:03:52.622473-05:00","created_by":"Cameron Smith"}]} {"id":"pnt-wl6.6","title":"Python group: audit and update recipes","description":"Review the Python recipe group (10 recipes).\n\nRecipes to evaluate:\n- test, test-all, uv-build, uv-sync, uv-lock, lint, lint-all, lint-fix, type, check\n\nKnown concerns:\n- All parameterized recipes default to package=python-nix-template; evaluate whether this is the right default\n- test recipe runs bare pytest (not uv run pytest); compare with ci-test which uses uv run pytest\n- lint runs bare ruff check; compare with ci-lint which uses uv run ruff check\n- type runs bare pyright; compare with ci-typecheck which uses uv run pyright\n- The distinction between bare tool invocation (Python group) and uv run invocation (CI/CD group) should be documented or unified\n- lint-all runs ruff check on entire packages/ directory; verify this works with independent-lock pattern\n- test-all iterates packages and runs pytest in each; verify this works without workspace-level uv.lock\n\nDone means: each recipe tested, relationship with CI/CD group recipes clarified, defaults evaluated.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:04:00.982412-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:04:00.982412-05:00","dependencies":[{"issue_id":"pnt-wl6.6","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:04:00.983084-05:00","created_by":"Cameron Smith"}]} -{"id":"pnt-wl6.7","title":"Release group: audit and update recipes","description":"Review the Release recipe group (8 recipes).\n\nRecipes to evaluate:\n- test-release, test-release-as-main, test-release-on-current-branch, test-release-direct, test-package-release, preview-version, release-package, update-version\n\nKnown concerns:\n- test-release, test-release-as-main, test-release-on-current-branch, test-release-direct all delegate to bun run scripts; verify these scripts exist in package.json\n- test-package-release defaults to package-name=python-nix-template\n- release-package runs bun install then delegates to bun run; verify bun is in devshell\n- update-version uses sed for in-place edits; verify correctness on macOS (sed -i'' vs sed -i)\n- update-version handles pyproject.toml [project] and [tool.pixi.package] versions plus Cargo.toml; verify all paths\n- preview-version delegates to scripts/preview-version.sh; verify this script exists\n\nDone means: each recipe tested or verified, bun scripts confirmed, sed portability checked.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:04:08.993522-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:04:08.993522-05:00","dependencies":[{"issue_id":"pnt-wl6.7","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:04:08.994211-05:00","created_by":"Cameron Smith"}]} +{"id":"pnt-wl6.7","title":"Release group: audit and update recipes","description":"Review the Release recipe group (8 recipes).\n\nRecipes to evaluate:\n- test-release, test-release-as-main, test-release-on-current-branch, test-release-direct, test-package-release, preview-version, release-package, update-version\n\nKnown concerns:\n- test-release, test-release-as-main, test-release-on-current-branch, test-release-direct all delegate to bun run scripts; verify these scripts exist in package.json\n- test-package-release defaults to package-name=python-nix-template\n- release-package runs bun install then delegates to bun run; verify bun is in devshell\n- update-version uses sed for in-place edits; verify correctness on macOS (sed -i'' vs sed -i)\n- update-version handles pyproject.toml [project] and [tool.pixi.package] versions plus Cargo.toml; verify all paths\n- preview-version delegates to scripts/preview-version.sh; verify this script exists\n\nDone means: each recipe tested or verified, bun scripts confirmed, sed portability checked.","status":"in_progress","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:04:08.993522-05:00","created_by":"Cameron Smith","updated_at":"2026-02-16T13:20:36.143188-05:00","dependencies":[{"issue_id":"pnt-wl6.7","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:04:08.994211-05:00","created_by":"Cameron Smith"}]} {"id":"pnt-wl6.8","title":"Rust group: audit and update recipes","description":"Review the Rust recipe group (5 recipes).\n\nRecipes to evaluate:\n- cargo-build, cargo-test, cargo-clippy, cargo-nextest, cargo-check\n\nKnown concerns:\n- All recipes default to package=pnt-cli which is optional (only present in pyo3-enabled instantiations)\n- All recipes assume packages/{package}/crates directory structure; this is pnt-cli-specific\n- cargo-nextest uses --no-tests=pass flag; verify this is the intended behavior\n- These recipes are irrelevant for template instantiations without Rust/pyo3 support\n- Consider conditional availability or clear documentation that this group is pyo3-only\n\nDone means: each recipe tested in pnt-cli context, documented as optional/conditional, defaults evaluated.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:04:15.108397-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:04:15.108397-05:00","dependencies":[{"issue_id":"pnt-wl6.8","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:04:15.109077-05:00","created_by":"Cameron Smith"}]} {"id":"pnt-wl6.9","title":"Secrets group: audit and restructure recipes","description":"Review and restructure the Secrets recipe group (20 recipes). This is the second largest group and contains two distinct concerns that should be evaluated for separation.\n\nRecipes to evaluate:\nCore sops management (10 recipes):\n- show-secrets, edit-secrets, new-secret, export-secrets, run-with-secrets, check-secrets, get-secret, validate-secrets, sops-init, sops-add-key, set-secret, rotate-secret, updatekeys\n\nGCP service account and DVC management (7 recipes):\n- gcp-enable-drive-api, gcp-sa-create, gcp-sa-storage-user, gcp-sa-key-download, gcp-sa-key-encrypt, gcp-sa-key-rotate, gcp-sa-key-delete, gcp-sa-keys-list, dvc-run\n\nKnown concerns:\n- GCP/DVC recipes are project-specific infrastructure that most template instantiations will not need; consider separating into a gcp or data group\n- sops-add-key uses interactive read which may not work in all environments\n- rotate-secret uses interactive read -s for hidden input\n- validate-secrets and sops-init use emoji characters in output (contradicts style conventions)\n- export-secrets writes to .secrets.env; verify this is in .gitignore\n- updatekeys iterates all files in vars/ not just yaml; could match non-sops files\n\nDone means: each recipe tested, group potentially split into sops-core and gcp/data subgroups, interactive recipes documented, emoji usage removed.","status":"open","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-05T20:04:26.827907-05:00","created_by":"Cameron Smith","updated_at":"2026-02-05T20:04:26.827907-05:00","dependencies":[{"issue_id":"pnt-wl6.9","depends_on_id":"pnt-wl6","type":"parent-child","created_at":"2026-02-05T20:04:26.828668-05:00","created_by":"Cameron Smith"}]} {"id":"pnt-yty","title":"Align Cloudflare docs deployment with vanixiets preview-promote pattern","description":"Align python-nix-template docs deployment workflow with the preview-promote pattern from vanixiets and typescript-nix-template. Currently pnt has preview deployment but no production promotion logic, uses a two-job workflow with artifact upload, lacks link validation, and uses yarn-berry where vanixiets/tnt use bun.\n\nChanges required:\n\n1. Migrate from yarn-berry to bun:\n - Remove yarn.lock, .yarnrc.yml, and any yarn configuration\n - Add bun to the devShell (modules/devshell.nix)\n - Replace all yarn dlx wrangler / yarn dlx references with bunx wrangler / bunx\n - Update package.json scripts if they reference yarn\n - Generate bun.lock (or bun.lockb) from package.json\n - Update .gitignore for bun artifacts\n - Update CI workflows that reference yarn\n - This aligns tooling exactly with vanixiets and typescript-nix-template\n\n2. Add docs-deploy-production justfile recipe with version promotion logic:\n - Look up existing wrangler version by 12-char commit SHA tag\n - If found: promote to 100% production traffic (zero rebuild)\n - If not found: fall back to build and deploy directly\n - Reference: vanixiets scripts/docs/deploy-production.sh and tnt justfile docs-deploy-production\n\n3. Align docs-deploy-preview with vanixiets pattern:\n - Branch name sanitization (40-char subdomain-safe)\n - Git metadata capture (12-char SHA tag, commit message, clean/dirty status)\n - Use bunx wrangler (after yarn-to-bun migration)\n\n4. Refactor deploy-docs.yaml workflow:\n - Single-job pattern with environment branching (preview vs production)\n - Use setup-nix composite action instead of DeterminateSystems/nix-installer-action\n - Add link validation step (just docs-linkcheck or equivalent for Quarto)\n - Add cached-ci-job execution caching\n - Preview triggered on PR, production triggered on push to main/beta\n\n5. Evaluate wrangler.jsonc location:\n - Currently at repo root, vanixiets/tnt have it in packages/docs/\n - pnt docs are in docs/ (not packages/docs/), so repo root may be appropriate\n - Ensure assets.directory path is correct relative to wrangler.jsonc location\n\n6. Worker naming convention:\n - Current: python-nix-template (matches repo name)\n - vanixiets pattern: infra-docs, tnt pattern: ts-nix-docs\n - Choose appropriate worker name for the template\n\nReference implementations:\n- ~/projects/nix-workspace/vanixiets justfile (docs-deploy-preview, docs-deploy-production), deploy-docs.yaml, packages/docs/wrangler.jsonc, scripts/docs/deploy-production.sh\n- ~/projects/nix-workspace/typescript-nix-template justfile, deploy-docs.yaml, packages/docs/wrangler.jsonc\n\nNote: pnt uses Quarto (not Astro) so build commands differ, but the wrangler deployment pattern and bun tooling are framework-agnostic.","status":"closed","priority":2,"issue_type":"task","owner":"cameron.ray.smith@gmail.com","created_at":"2026-02-03T18:23:43.437695-05:00","created_by":"Cameron Smith","updated_at":"2026-02-03T22:16:52.24175-05:00","closed_at":"2026-02-03T22:16:52.24175-05:00","close_reason":"Implemented across 18 commits on branch pnt-yty-cloudflare-docs-alignment (dd698bf..e03ca68). Phase 1: yarn-to-bun migration (devshell, package.json, justfile, lockfile, CI hash-sources). Phase 2: preview-promote docs deployment (docs-deploy-preview with branch sanitization and SHA tagging, docs-deploy-production with version promotion, single-job deploy-docs.yaml with environment branching, wrangler.jsonc schema and observability). Alignment: GitHub preview/production environments created, preview-docs job runs on every PR (removed label gate), ::notice annotations for predicted semantic-release versions, preview-version.sh ported from tnt with merge-tree simulation. CI verified green on PR 45 (run 21652296092). Fix for preview-release-version local branch requirement pushed (e03ca68), awaiting CI confirmation."}