The payload (pure-stdlib bridge.py + a stock CPython closure) is fully
Nix-expressible, so this is NOT an escape-hatch/buildkit repo: both arches
build on emmett (amd64 native + arm64 pkgsCross of stock python3 from the
binary cache) with no buildkit, qemu, docker daemon, or howard pin.
Replace the partial amd64-only scaffold with parity-lib's
mkNix2ContainerPublish, completing the arm64 leg + multi-arch index. The
per-arch nix2container image derivations are kept verbatim; stage/publish/
publish-index/publish/push-staged now come from the shared builder so CI and
local invoke identical code. Thin .woodpecker.yaml to a single
nix run .#publish; retire the buildx/remote-builder steps.
The Dockerfile is now unused (the cutover drops it) but kept in-tree so the
server-side hadolint pre-receive hook does not crash on a file deletion.
Refs cluster #192, emmett#44.
Archetype: oci-image (buildx -> in-cluster remote buildkit), the HARD case.
DESIGN/PARTIAL, not a finished migration:
- ci/MIGRATION.md: concrete plan to escape buildkit via nix2container/skopeo
+regctl. The app is pure-stdlib Python, so both arches are buildable on
emmett (amd64-native + Nix-cross-from-amd64 python3 closure) with no
buildkit/qemu/docker -> no foreign-arch leg needed; Dockerfile retired on
cutover. Covers per-arch build, entrypoints, .woodpecker.yaml target,
escape hatch (unused here), risks, remaining work.
- flake.nix: scaffolds the natively-buildable amd64 leg only
(stage-amd64, publish-amd64), dry-run by default (PUBLISH=1 to push),
$REGISTRY_TOKEN -> pass fallback, registry-down/empty-token blockers.
Mirrors reference impl claude-plugin-registry@9850745.
arm64 leg, publish-index/publish, and YAML cutover are designed but NOT wired.
Verified: nix eval .#apps.x86_64-linux (-> stage-amd64, publish-amd64); no
image build run (downloads closure).
Oleks