release: v0.1.1 — patch release with collector reliability fixes

[cmeans-claude-dev]

Summary

Promotes the project to v0.1.1 — first patch release. Three mechanical edits:

• pyproject.toml: version = "0.1.0" → version = "0.1.1"
• CHANGELOG.md: insert ## [0.1.1] - 2026-04-26 directly under the (still-empty) ## [Unreleased] so all 12 PRs' worth of bullets that have accumulated since v0.1.0 are now categorized under the 0.1.1 release. Updated link refs at the bottom: [Unreleased] now compares from v0.1.1, and a new [0.1.1] entry compares v0.1.0...v0.1.1.
• uv.lock: refreshed by uv lock so the locked pypi-winnow-downloads version (0.1.1) matches pyproject.toml.

What ships in v0.1.1

Library fixes (operator-visible, the reason for the patch release):

collector: _write_health OSError no longer escapes per-package isolation (#32)	Disk-full / perm errors now produce structured winnow-collect: …; health file write failed: [Errno 28] No space left on device exit instead of a raw traceback. New CollectorResult.health_write_error: str | None field surfaces the failure structurally.
collector: stale_threshold_days is now actually consulted (#33)	The "warn if previous run is older than N days" feature documented in config.example.yaml since v0.1.0 finally fires. Log-only per the documented v1 contract; degrades silently on first-run / unreadable / malformed / future-timestamped previous _health.json.

Documentation:

• README acknowledgments / license / BigQuery dataset link refresh (PR docs(readme): Acknowledgments + License sections, BigQuery dataset link, GCP credential setup pointer #15)
• README shields.io URL canonicalization (docs(readme): canonicalize shields.io endpoint-badge URL form (line 11) #16, PR docs(readme): canonicalize shields.io endpoint-badge URL form (#16) #27)
• deploy/README.md Tailscale Funnel as alternative HTTPS exposure (PR docs(deploy): document Tailscale Funnel as an alternative HTTPS exposure #22)
• deploy/README.md "Pick an approach" table reflects the new Caddy logging shape (PR deploy(caddy): split error + access logs to rotated files (validates against live CT 112) #30)

CI / project infrastructure (no PyPI consumer impact, but hardens future releases):

• Community health files (PR chore: community health files (CONTRIBUTING, CoC, SECURITY, issue templates) #20)
• .github/dependabot.yml across pip + github-actions + docker (PR chore: add dependabot.yml (pip / github-actions / docker) #21)
• Dependabot PR hygiene cascade with App-token authenticated auto-CHANGELOG workflow (PR chore: Dependabot PR hygiene — PR template + auto-CHANGELOG workflow + prefix fix #25), validated end-to-end via PR chore(deps): bump codecov/codecov-action from 5 to 6 in the github-actions group across 1 directory #23 + chore(deps): bump python from 3.13-slim to 3.14-slim in /deploy/docker #24
• deploy-smoke CI job, now a required status check on main-protection (PR ci: add deploy-smoke job for Dockerfile + Compose + Caddyfile examples (#7) #29, Add Docker image smoke test to CI #7, Promote deploy-smoke to required status check (soak window post-#29) #31)
• deploy/caddy/Caddyfile.example gains global error logger + per-site access logger with built-in lumberjack rotation (PR deploy(caddy): split error + access logs to rotated files (validates against live CT 112) #30) — also fixed live on CT 112
• 100% coverage on src/ via real tests, with fail_under = 100 gate (PR test: 100% coverage on src/ via real tests + fail_under gate (#37) #38, Push coverage from 99% → 100% on src/ #37)

Verification

• uv run pytest --cov — 71/71 passed, 100% coverage gate green
• uv run ruff check src/ tests/ — clean
• uv run ruff format --check src/ tests/ — clean
• uv run mypy src/pypi_winnow_downloads/ — clean
• uv.lock matches pyproject.toml — pypi-winnow-downloads v0.1.0 -> v0.1.1
• CHANGELOG link refs verified by hand: Unreleased compares from v0.1.1, [0.1.1] compares v0.1.0...v0.1.1, [0.1.0] unchanged
• CI green on all jobs (lint, typecheck, test 3.11/3.12/3.13, deploy-smoke, codecov)

After this merges

# Tag the squash-merge commit and push — publish.yml fires on tag push
# and uploads to PyPI via the existing trusted-publisher OIDC flow.
git tag v0.1.1 <merge-sha>
git push origin v0.1.1

Then:

• Verify the release at https://pypi.org/project/pypi-winnow-downloads/0.1.1/
• Update the live CT 112 deployment to install pypi-winnow-downloads==0.1.1 from PyPI (currently runs a wheel built from main; pinning keeps deploy reproducible).

Skip TestPyPI this time?

The v0.1.0 release used the test-v0.1.0 → TestPyPI → verify → v0.1.0 → PyPI sequence to validate the OIDC handshake. v0.1.1 has the same trusted-publisher config and the same publish.yml workflow; if you want belt-and-suspenders, the same test-v0.1.1 step is available, otherwise direct-to-PyPI is reasonable now that the publisher path is known-good. Maintainer call.

Closes the v0.1.1 release cycle.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cmeans]

LGTM

[cmeans]

QA round 1 — clean, signing off

Per CLAUDE.md: "Release PRs do not need QA sections — the code was already tested in feature PRs." So this is a release-mechanics check rather than a re-QA pass.

Mechanical correctness on head aba6522:

Check	Result
pyproject.toml version	0.1.0 → 0.1.1 (single line)
uv.lock change scope	exactly two lines (one +/one - on the pypi-winnow-downloads version field). No incidental dep churn — Dev didn't accidentally bump anything else by running uv lock with stale upstreams.
pypi_winnow_downloads.__version__ after install	0.1.1 (verified via uv run python -c "import pypi_winnow_downloads; print(pypi_winnow_downloads.__version__)") — confirms pyproject.toml is the single source of truth and the importlib.metadata lookup wires through
## [Unreleased] after the insertion	empty (heading immediately followed by ## [0.1.1] - 2026-04-26, no orphaned bullets)
## [0.1.1] section	14 bullets across ### Added / ### Changed / ### Fixed — only the canonical Keep-a-Changelog categories (no rule-violating subsections)
Date 2026-04-26	matches today
Link refs	[Unreleased]: …compare/v0.1.1...HEAD, [0.1.1]: …compare/v0.1.0...v0.1.1, [0.1.0]: …releases/tag/v0.1.0 — all three resolve to the right targets
SemVer fit	patch bump appropriate. Public-API delta vs v0.1.0: CollectorResult.health_write_error: str | None = None (additive, default-None backward-compat); _check_staleness is internal (_-prefixed); everything else is CI/deploy/docs. No breaking changes.
Final local sweep	71/71 pytest, ruff/format/mypy clean
CI on PR head	all SUCCESS (test 3.11/3.12/3.13, lint, typecheck, deploy-smoke, qa-approved, on-push)

Cross-reference of [0.1.1] scope vs PRs merged since v0.1.0:

gh pr list --base main --search "merged:>=2026-04-25" returns 18 merged PRs since the v0.1.0 release PR (#13). Spot-checked each:

• The two operator-visible fixes (#32 / PR #35, #33 / PR #36) — represented under ### Fixed ✓
• All deploy/CI/docs/dependabot/coverage work (#15, #16, #20, #21, #22, #23, #24, #25, #27, #29, #30, #37, #38) — represented or explicitly excluded by their own decision (#20, #21 chose to omit per "repo infrastructure, not user-visible product change")
• The release PR body's "CI / project infrastructure" section honestly distinguishes "not in CHANGELOG by design" from "in CHANGELOG"

No orphaned PRs, no missing categories.

Note (not a finding): .github/ISSUE_TEMPLATE/bug_report.yml:14 has placeholder "0.1.0 or abc1234". After v0.1.1 ships, the example version in the placeholder lags by one release. This is placeholder text (clear from the surrounding form), not a claim — analogous to BADGE_HOST=badges.example.com in compose. Users putting their own version follow the format. Bumping it on every release is an indefinite ratchet; could instead refactor to "e.g., 0.1.x or commit SHA" to make it durable. Operator's call, not a release-mechanic blocker.

No findings. Transitioning label to Ready for QA Signoff. Per feedback_no_qa_label, not applying QA Approved — that's the maintainer's act, after which the post-merge tag/push sequence in your PR body fires publish.yml → PyPI.

[cmeans]

Applying Ready for QA Signoff — see review above. Release-mechanic checks all pass: pyproject.toml + uv.lock minimal version-bump pair (no incidental dep churn), [Unreleased] empty post-insertion, 14 bullets in [0.1.1] across canonical Keep-a-Changelog categories, link refs correct, date matches today, SemVer patch-bump appropriate (no breaking public-API changes; only additive CollectorResult.health_write_error). Local 71/71 + ruff/format/mypy clean, CI all green. One informational note in the review about a stale placeholder in bug_report.yml — operator's call, not blocking. Not applying QA Approved per the standing rule.