This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
This is the Calunga / Trusted Libraries Index — a Red Hat project that maintains a curated index of Python packages built into trusted wheels from source. It is not a Python library or application; it is a package registry management system. The primary artifact is the onboarded_packages/ directory, where each JSON file specifies the latest version to be built and published to Pulp (packages.redhat.com).
- onboarded_packages/: The source of truth — one JSON file per package with
{"version": "...", "ignored_versions": [...]}. Theversionfield specifies the latest version to build;ignored_versionslists versions to skip during automated updates. An optionalbuild_extrafield (list of bare package names) declares undeclared dependencies that must be built alongside the package —identify-packagesresolves each to its current version from the corresponding JSON file. Every entry inbuild_extramust have a matching onboarded package JSON or the build will fail. An optionalsdist_urlfield (e.g."git+https://github.com/org/repo.git") directs the build to fetch the source from a git URL instead of PyPI —identify-packagesproduces a PEP 440 URL requirement (pkg @ url@version) when this field is present. - Build pipeline: Tekton/Konflux on OpenShift. Builds wheels from source, runs security scans (Snyk, Coverity, ClamAV, SAST), and pushes OCI artifacts to Quay
- Automated updates: GitHub Actions workflow checks PyPI for new versions not yet in Pulp, creates PRs with auto-merge
hack/onboard.sh <package_name>Full lifecycle: creates onboarded_packages/<name>.json, branches, commits, pushes, opens a PR, waits for CI, merges, and cleans up. Subcommands (create, wait, merge) are available for batch workflows — see hack/onboard.sh --help.
python hack/check-for-updates.pyRequires SERVICE_ACCOUNT_USERNAME and SERVICE_ACCOUNT_PASSWORD env vars. Uses aiohttp to async-compare PyPI vs Pulp versions. Outputs JSON of packages needing builds.
hack/replace-package "<package>==<version>"hack/identify-packages <git_revision> <output_file> <status_file>Compares onboarded_packages/ JSON files against a prior git revision to determine what needs building.
python hack/generate-available-packages.pyRequires Pulp credentials and configuration env vars.
- Tekton pipelines in
.tekton/: triggered on push to main and on PRs - PR trigger (
.tekton/calunga-v2-index-main-pull-request.yaml): compares againstorigin/main - Push trigger (
.tekton/calunga-v2-index-main-push.yaml): compares againstHEAD^ - Build task:
build-python-wheels-oci-ta— builds wheels from source with 20Gi memory limit - Enterprise Contract: policy config in
konflux/ecp.yaml - GitHub Actions (
.github/workflows/get_new_package_versions.yml): periodic PyPI update checker, creates automated PRs
When debugging Konflux pipeline failures (wheel-check failures, build errors, release issues), always consult .claude/agents/debug-package.md first. It contains the full diagnostic procedure, including kubearchive commands for retrieving logs from garbage-collected PipelineRuns (older than ~5 days). Do not attempt generic debugging approaches (e.g. oc get pipelinerun) without first checking whether the resources have been GC'd and switching to kubectl ka if needed.
Automated builds follow: Automatic build <package>==<version>
Use Assisted-by as the commit trailer (not Co-Authored-By).
- Python 3.12 (primary), Python 3.13 (planned)
- x86_64 / manylinux_2_28 (aarch64 planned)
- Tested on: UBI9, UBI10, Fedora, Ubuntu 24.04