Idempotency: creates: silently skips version upgrades

In tasks/python.yml, the Install uv (Astral) task uses creates: /usr/local/bin/uv. Once uv is installed, the task never re-runs — even when an operator bumps django_uv_version (e.g. 0.6.10 → 0.7.0). The next playbook run is a silent no-op and the upgrade never happens.

The comment in defaults/main.yml says "Pinning makes the install task's creates: idempotency check meaningful" — but pinning actually makes the broken-upgrade case more likely, since the operators most likely to pin are the ones who later want to bump.

Suggested fix: probe the installed version first, then install only when it doesn't match.

- name: Check installed uv version
  ansible.builtin.command: /usr/local/bin/uv --version
  register: _uv_installed
  failed_when: false
  changed_when: false
  become: true
  become_user: root
  when: django_use_uv

- name: Install uv (Astral)
  vars:
    _uv_installer_url: >-
      {{
        'https://astral.sh/uv/install.sh'
        if django_uv_version == 'latest'
        else 'https://astral.sh/uv/' ~ django_uv_version ~ '/install.sh'
      }}
  ansible.builtin.shell: |
    set -eo pipefail
    curl -LsSf {{ _uv_installer_url }} | env UV_INSTALL_DIR=/usr/local/bin sh
  args:
    executable: /bin/bash
  become: true
  become_user: root
  when:
    - django_use_uv
    - _uv_installed.rc != 0
      or django_uv_version == 'latest'
      or django_uv_version not in (_uv_installed.stdout | default(''))

The when: covers three cases: not-yet-installed (rc != 0), latest mode (re-run every time since you can't compare against a moving target), and pinned version mismatch.

One sharp edge worth noting: "0.6.1" in "uv 0.6.10 ..." is True, so a strict-semver pin like 0.6.1 would skip an upgrade to 0.6.10. For the typical full-semver pin (0.6.10) this isn't an issue, but if you want defense in depth, anchor with regex_search instead of in.

Idempotency: Bootstrap pip into the uv-managed venv always reports changed

In tasks/install.yml, the new bootstrap-pip task hardcodes changed_when: true:

- name: Bootstrap pip into the uv-managed venv
  ansible.builtin.command:
    cmd: >-
      uv pip install
      --python {{ django_venv_path }}/bin/python
      pip
  environment:
    UV_LINK_MODE: copy
  become: true
  become_user: "{{ django_system_user }}"
  changed_when: true
  when:
    - django_use_uv| bool

Every playbook run reports this task as changed even when pip is already present. Two effects:

1. Misleading PLAY RECAP output — operators stop noticing real changes when every deploy reports changed=N for no reason.
2. Wasted work — uv pip install pip re-runs on every converge.

Suggested fix: add a creates: guard pointing to the file the command produces, and drop the hardcoded changed_when.

- name: Bootstrap pip into the uv-managed venv
  ansible.builtin.command:
    cmd: >-
      uv pip install
      --python {{ django_venv_path }}/bin/python
      pip
    creates: "{{ django_venv_path }}/bin/pip"
  environment:
    UV_LINK_MODE: copy
  become: true
  become_user: "{{ django_system_user }}"
  when:
    - django_use_uv| bool

Note this is not the same footgun as the creates: issue I flagged on the uv installer task — pip's version isn't a tunable in this role, so there's no upgrade path to silently skip. If an operator wants a specific pip version, they'd put it in django_dependency_pip_packages and ansible.builtin.pip handles it.

Low severity / polish — the same always-changed pattern exists for the poetry and pipenv tasks in this file, so the author was being consistent. Just flagging it as a chance to do it right for the new mode.