release-please org-wide coverage gaps + Q3a/Q3c migration blockers

[JacobPEvans-personal]

Tracking: close release-please coverage gaps across dryvist

Triggered by an audit on 2026-05-30. Resolves Q3 of the local
release-please-config-review plan.

ci-cd-policy.md states "All repos use release-please." The audit below shows that 17 of 39 non-archived dryvist repos are fully migrated to the _release-please.yml reusable workflow, 1 uses a direct call, 1 has an orphan manifest (no workflow), and 19 have nothing.

Current state (audited 2026-05-30)

REUSABLE (17) — fully migrated, doing the right thing:

ai-assistant-instructions, ai-workflows, ansible-proxmox, ansible-proxmox-apps, ansible-splunk, cc-edge-pack-template, claude-code-plugins, mlx-benchmarks, nix-ai, nix-darwin, nix-devenv, nix-home, orbstack-kubernetes, raycast-smart-issue, terraform-proxmox, terraform-runs-on, tf-splunk-aws

DIRECT call to googleapis/release-please-action@v4 (1) — should migrate:

• nix-claude-code

ORPHAN manifest, no workflow (1) — broken; release-please does nothing:

• terraform-github

NO release-please at all (19) — categorized:

Category	Repos
Meta / excluded	.github, .github-tofu
Templates (should ship versioning)	python-template, terraform-aws-template
Public utility	cc-edge-claude-code-io, claude-code-best-practice, claude-code-routines, nix-ai-server, nix-pxe-bootstrap, nixos-ai
Docs	docs, docs-starlight
Private (different secrets-sync needs)	cribl-migration, homelab-schemas, int_homelab, nix-mac-performance, nix-screenpipe, terraform-aws, terraform-unifi, unifi-config

Blocker for nix-claude-code (Q3a) and terraform-github (Q3c) migrations

The _release-please.yml reusable workflow needs vars.GH_APP_CLIENT_ID + secrets.GH_APP_PRIVATE_KEY resolving to a GitHub App that is installed on the consuming repo.

• Org-level vars.GH_APP_CLIENT_ID = Ov23liw1JmFMwHTqb8HE (App ID 3509510) — this App is NOT in gh api orgs/dryvist/installations.
• Working repos (e.g. terraform-proxmox, nix-darwin) all carry repo-level overrides: vars.GH_APP_CLIENT_ID = Iv23li1hLRLXXMeXwO6f (App ID 2520943).
• nix-claude-code and terraform-github carry NO repo-level vars/secrets. Migrating their workflows today would mint a token against an uninstalled App → 401.

The distribution mechanism is JacobPEvans-personal/secrets-sync/secrets-config.yml, anchor _github_app_repos. nix-claude-code and terraform-github are absent from that anchor.

Action items (ordered)

• Stage 1 (PRIVATE tier, JacobPEvans-personal/secrets-sync) — add nix-claude-code and terraform-github to the _github_app_repos anchor. Run the distribution workflow.
• Stage 2 (DRYVIST tier, this repo) — verify repo-level GH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY/GH_APP_ID populated on both repos.
• Stage 3 (DRYVIST tier) — open Q3a PR: replace nix-claude-code/.github/workflows/release-please.yml body with uses: JacobPEvans-personal/.github/.github/workflows/_release-please.yml@main. Reference: identical pattern in dryvist/nix-darwin/.github/workflows/release-please.yml.
• Stage 4 (DRYVIST tier) — open Q3c PR: add release-please.yml to terraform-github calling the same reusable. Manifest already exists; verify release-please-config.json is present and valid.
• Stage 5 — net-new for high-priority gaps: python-template, terraform-aws-template, docs, claude-code-routines, claude-code-best-practice. Each needs release-please-config.json + .release-please-manifest.json + release-please.yml (reusable caller) + secrets-sync inclusion + (optionally) a VERSION file for release-type: simple.
• Stage 6 — explicit policy decision for the remaining repos (private + niche utility): either ship release-please everywhere with release-type: simple (per current ci-cd-policy.md) or update the policy to carve out documented exclusions and list them.

Audit reproducibility

The audit was generated with this one-liner (re-run any time to refresh the table):

for repo in $(gh repo list dryvist --no-archived --limit 100 --json name --jq '.[].name' | sort); do
  m=$(gh api "repos/dryvist/$repo/contents/.release-please-manifest.json" --silent 2>/dev/null && echo Y || echo .)
  w=$(gh api "repos/dryvist/$repo/contents/.github/workflows/release-please.yml" --silent 2>/dev/null && echo Y || echo .)
  if [ "$w" = "Y" ]; then
    c=$(gh api "repos/dryvist/$repo/contents/.github/workflows/release-please.yml" --jq .content 2>/dev/null | base64 -d)
    if echo "$c" | grep -q "_release-please.yml@main"; then t=reusable
    elif echo "$c" | grep -q "googleapis/release-please-action"; then t=direct
    else t=unknown; fi
  else t=-; fi
  printf "%-30s %-2s %-2s %s\n" "$repo" "$m" "$w" "$t"
done

Related

• Q1 root-cause fix (separate, already shipped): fix(git): drop global core.hooksPath; rely on init.templateDir + per-repo install nix-home#272 — core.hooksPath conflict with pre-commit
• Q1b defensive guard (separate): fix(devshell): warn before pre-commit installer hits core.hooksPath block nix-claude-code#31
• Q2 architectural answer (no inheritance possible): release-please does not support extends. The reusable workflow at JacobPEvans-personal/.github/.github/workflows/_release-please.yml is the canonical workflow dedup; configs stay per-repo.