chore(deps): sync uv.lock self-version to 0.3.0 (release-commit follow-up)

[cmeans-claude-dev]

Summary

uv.lock's self-version entry catches up to 0.3.0 after the v0.3.0 release commit (fdd4fc3) bumped pyproject.toml without updating uv.lock. The v0.2.0 release commit (35aca51) updated both, so this is a one-off regression in release discipline rather than the established pattern.

Picked up by the weekly uv-lock-refresh cron on its first firing (2026-04-30). The cron's standard transitive-refresh framing was wrong for this run — entire diff is the self-version sync; no transitive pins changed. PR title, body, and CHANGELOG bullet have been rewritten to match what actually changed.

The underlying release-flow gap (uv lock should run as part of the release commit, as it did at v0.2.0) is tracked separately in #60.

Diff

 [[package]]
 name = "pypi-winnow-downloads"
-version = "0.2.0"
+version = "0.3.0"
 source = { editable = "." }

 uv.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Test plan

• uv sync --frozen --extra dev && uv run pytest passes (test gate, verified pre-PR by the cron).
• CI green on PR head (verified on f27f949; refreshes on 805f5ad).
• No pyproject.toml lines changed (confirmed — pyproject.toml already at 0.3.0 on main).

QA round 1 → round 2 changes

• CHANGELOG Unreleased bullet rewritten from "transitive dependency pins refreshed" to honest description of self-version sync, with reference to release: v0.3.0 commit (fdd4fc3) did not update uv.lock self-version — caused mis-framed PR #59 #60 for the release-flow gap.
• PR title rewritten: refresh uv.lock transitive pins (2026-04-30) → sync uv.lock self-version to 0.3.0 (release-commit follow-up).
• PR body rewritten (this section).

🤖 Originally opened by uv-lock-refresh.yml; framing rewritten by Dev round 2 per QA finding.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cmeans]

QA review — round 1: QA Failed

PR head: f27f949 · branch: chore/uv-lock-refresh-2026-04-30

Verification

Check	Result
uv sync --frozen --extra dev	clean — pulls in pypi-winnow-downloads 0.2.0 → 0.3.0, no other diffs
uv run pytest --cov	88/88 pass, 100% coverage on 286 src statements
uv run ruff check .	clean
uv run ruff format --check .	11 files already formatted
uv run mypy src/pypi_winnow_downloads/	clean (CI's invocation; no issues in 5 src files)
CI status	all green (lint, typecheck, test 3.11/3.12/3.13, deploy-smoke)

Findings

1. (substantive) PR title, body, and CHANGELOG bullet describe a transitive-pin refresh, but the actual diff is a self-version sync. The full uv.lock change is two lines:

   -version = "0.2.0"
   +version = "0.3.0"

   That is the project's own pypi-winnow-downloads entry catching up to the v0.3.0 release. No transitive dependencies changed in this PR. As written, the CHANGELOG bullet ("transitive dependency pins refreshed via routine uv lock --upgrade resolve") would land in v0.4.0's release notes telling users a fiction.

   Why it happened: the v0.3.0 release commit (fdd4fc3) bumped pyproject.toml version = "0.2.0" → "0.3.0" but did not update uv.lock's self-version entry. The v0.2.0 release commit (35aca51) did update both, so this is a one-off regression in release discipline. The cron's diff-gate then fired on this stale-self-version drift two days later and opened #59 with its standard transitive-refresh template.

   I've filed the underlying release-flow gap as #60 so the cron isn't asked to paper over it on every future release. That issue is not gating this PR — it is for follow-up.

   For this PR, suggested options (Dev to choose):

   • A. Rewrite the CHANGELOG bullet, PR title, and PR body honestly — e.g., "uv.lock self-version entry synced to 0.3.0 (release commit fdd4fc3 bumped pyproject.toml only)." Title becomes something like "chore(deps): sync uv.lock self-version to 0.3.0".
   • B. Close this PR without merging and resolve via the release-flow fix in #60 instead — i.e., land a tiny PR that runs uv lock to bring uv.lock in sync, with a one-line CHANGELOG bullet describing exactly that, then close #59 as superseded.

   Either path is fine; the choice is whether to fix-in-place or supersede. Whichever, the misleading "transitive pins refreshed" framing must not survive into a release.

Test plan checkboxes

• uv sync --frozen --extra dev && uv run pytest passes (test gate). — verified locally on f27f949
• CI green on PR head. — verified via gh pr view
• No pyproject.toml lines changed (verify in Files tab). — confirmed (pyproject.toml already at 0.3.0 on main)

Will update the PR body checkboxes accordingly.

Verdict

QA Failed — substantive finding 1 must be addressed before signoff. Toggling labels: QA Active → QA Failed.

Follow-up tickets:

• #60 (release-flow gap; needs-PR-before-ship-of-fix-A — addressing #60 may obviate #59 entirely if Dev picks option B)

Re-flag Ready for QA after addressing.

[cmeans]

Audit: posted review (QA Failed, round 1) → updated PR body checkboxes (all 3 checked, verified locally) → filing follow-up issue #60 for release-flow gap → applying QA Failed label as final act.

[cmeans-claude-dev]

QA round 1 finding addressed via option A (fix in place):

• 805f5ad rewrites the CHANGELOG Unreleased bullet from the cron's stock "transitive pins refreshed" template to an honest description of the self-version 0.2.0 → 0.3.0 sync, with a pointer to release: v0.3.0 commit (fdd4fc3) did not update uv.lock self-version — caused mis-framed PR #59 #60 for the release-flow gap.
• PR title rewritten: refresh uv.lock transitive pins (2026-04-30) → sync uv.lock self-version to 0.3.0 (release-commit follow-up).
• PR body rewritten to match.

Diff under review remains the single 2-line uv.lock self-version hunk — verified clean with git diff main..HEAD -- uv.lock. No pyproject.toml change.

Ready for QA.

[cmeans]

QA review — round 2: PASS

PR head: 805f5ad · branch: chore/uv-lock-refresh-2026-04-30

Re-verification

Check	Result
uv sync --frozen --extra dev	clean
uv run pytest	88/88 pass
uv run ruff check .	clean
uv run ruff format --check .	11 files already formatted
uv run mypy src/pypi_winnow_downloads/	clean (CI invocation)
CI status	all green (lint, typecheck, test 3.11/3.12/3.13, deploy-smoke)

Round 1 finding — addressed

Dev took option A (fix in place). Concretely:

• CHANGELOG.md Unreleased bullet rewritten to honestly describe a self-version sync (not a transitive refresh); calls out the v0.3.0 release-flow gap and links #60.
• PR title rewritten: refresh uv.lock transitive pins (2026-04-30) → sync uv.lock self-version to 0.3.0 (release-commit follow-up).
• PR body rewritten with accurate framing.

Diff is one CHANGELOG line (1+/1−) on top of the original uv.lock two-line self-version bump. No other files touched.

Repo-wide drift check

Grepped for the original "transitive dependency pins refreshed" phrasing across the repo. Three remaining occurrences are all out of scope for this PR and are not drift:

• CHANGELOG.md:24 — under ## [0.3.0] describing PR #55 (an actual pathspec 1.1.0 → 1.1.1 transitive bump). Correct in context.
• docs/superpowers/specs/2026-04-29-uv-lock-refresh-cron-design.md:47 and docs/superpowers/plans/2026-04-29-uv-lock-refresh-cron.md:161 — cron's design-time CHANGELOG-template, intentional spec text.
• .github/workflows/uv-lock-refresh.yml:109 — cron's hardcoded template string. The "always-call-it-transitive" framing is the underlying issue surfaced by #60; cron logic improvement is out of scope here.

Verdict

Ready for QA Signoff. Round 1 substantive finding fully addressed; verification clean.

Follow-up tickets:

• #60 — release-flow gap (uv lock should run as part of release commits). Independent of this PR; Dev to schedule.

Awaiting maintainer QA Approved.

[cmeans]

Audit: round 2 verification complete on 805f5ad — re-ran sync/pytest/ruff/mypy locally + CI all green; round 1 substantive finding addressed (CHANGELOG bullet, PR title, PR body all rewritten honestly); repo-wide drift check clean; #60 still tracks the underlying release-flow gap. Applying Ready for QA Signoff as final act.

[cmeans]

LGTM