Second fleet template for the parity-lib publish family #10
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Follow-up from #1. While building the
pypi-wheel-attictemplate for the 10 near-identical s390x repos, 9 more s390x repos turned out to share a second, genuinely-different-but-still-duplicated shape: "thin parity-lib publish." They were deliberately left out of #1's template because their differences are real, not copy-paste drift — but the shape itself repeats across all 9 and would benefit from its own smaller template.Repos
asyncpg, cryptography, fastuuid, lightningcss, nextjs-swc, rollup, onnxruntime, scikit-learn, scipy (all
-s390x).Shared shape
doctor(runsparity-lib#pipeline-doctor --strictas an enforcement gate before publish) +publish.PLUGIN_TAGS: "true"/PLUGIN_DEPTH: "0"(full clone with tags — some repos derive VERSION viagit describefallback), vs. #1's family which uses"false"/"1".CI_REGISTRY_TOKEN(aliased to$REGISTRY_TOKENinside the script) instead ofREGISTRY_TOKENdirectly from secret.attic watch-storeaccelerator — publish is a purenix run .#publish[-s390x]front door.Real per-repo variance to parameterize (not paper over)
REDIS_PASSWORDsecret + the 4-lineSCCACHE_REDIS_*/CCACHE_REMOTE_*export block.8Gi/32Girequest/limit, butpymupdf-style outliers exist elsewhere in the fleet — verify per-repo before assuming a single default.2vs4vs unset, inconsistent even among repos that otherwise look identical.doctorstep presence: confirmed on asyncpg; verify per-repo whether all 9 actually run it or if it's asyncpg-specific (the diff sample used in #1's investigation was small — re-audit each file before templating).Suggested approach
Same
manifest.yaml+generate.pypattern as #1, in the sameoleks/ci-scriptsrepo, as either a second manifest file or afamily:field added to the existing manifest with per-family render functions. Re-verify semantic equivalence the same way #1 did: parse rendered YAML vs. original, diff structurally (not textually), lint withwoodpecker-cli lintbefore regenerating for real, confirm idempotent re-render.Also apply #5's node-pinning convention (
labels: {arch: amd64|arm64}, dropprovider/platformvariants) and #6's|| trueban while templating, same as was done for the first family.Re-audited all 9 repos in detail (parsed YAML structure, not just grep) before templating — the real shape was more fragmented than my original one-line description. Disposition:
Templated (5, new
render_thin()+thin_repos:in oleks/ci-scripts):asyncpg-s390x, cryptography-s390x, lightningcss-s390x, nextjs-swc-s390x, rollup-s390x. Parameterized the real variance:
doctorgate presence (only asyncpg has it),token_direct(REGISTRY_TOKEN direct vs CI_REGISTRY_TOKEN + explicit remap — only cryptography),publish_style(PUBLISH=1 nix run .#publishvsnix run .#publish-s390x -- --publish),tags_full, anddead_secrets(some declare ATTIC_TOKEN/REDIS_PASSWORD unused — preserved, not cleaned up, out of scope). Verified idempotent + semantically equivalent (parsed-YAML diff) +woodpecker-cli lintclean for all 5. Pushed:d3c4c8e(generator+manifest+README) →68cba21(ruff fix), rebased twice against templates-worker's concurrent commits.Excluded, not forced (3 + 1 originally-miscounted):
CI_REGISTRY_TOKENbut has NOexport REGISTRY_TOKEN=...remap beforePUBLISH=1 nix run .#publish— cryptography-s390x (the only other CI_REGISTRY_TOKEN user) DOES have the remap. This looks like a real latent bug: publish would run withREGISTRY_TOKENunset. Not silently fixed via templating — flagging here for someone to confirm intent.Net: of the "9," 5 got a real shared template, 4 are flagged/excluded with reasons documented in
manifest.yamland README.md. Two of those four (fastuuid, onnxruntime) may have a genuine pre-existing token-wiring bug worth a separate look.Closing.