Archetype: oci-image (buildx -> in-cluster remote buildkit), the HARD case.
DESIGN/PARTIAL, not a finished migration:
- ci/MIGRATION.md: concrete plan to escape buildkit via nix2container/skopeo
+regctl. The app is pure-stdlib Python, so both arches are buildable on
emmett (amd64-native + Nix-cross-from-amd64 python3 closure) with no
buildkit/qemu/docker -> no foreign-arch leg needed; Dockerfile retired on
cutover. Covers per-arch build, entrypoints, .woodpecker.yaml target,
escape hatch (unused here), risks, remaining work.
- flake.nix: scaffolds the natively-buildable amd64 leg only
(stage-amd64, publish-amd64), dry-run by default (PUBLISH=1 to push),
$REGISTRY_TOKEN -> pass fallback, registry-down/empty-token blockers.
Mirrors reference impl claude-plugin-registry@9850745.
arm64 leg, publish-index/publish, and YAML cutover are designed but NOT wired.
Verified: nix eval .#apps.x86_64-linux (-> stage-amd64, publish-amd64); no
image build run (downloads closure).
Oleks