Conversation
The repository had two schema generation entrypoints with overlapping but unequal responsibilities. nix run .#generate ran crossplane dependency update-cache, which regenerates only the dependency half of the schemas under schemas/python/ (provider and Crossplane CRD models) plus their schemas/.lock.json entries. The XRD-derived models under schemas/python/models/ai/ are written instead by crossplane project build (nix run .#build-crossplane). Running .#generate alone therefore produced an incomplete tree, and a contributor following CONTRIBUTING.md would regenerate schemas without the local XRD models. Both generators are also additive: they overwrite the files they emit but never remove models or lock entries for XRDs or dependencies that have been dropped or renamed. Stale schemas and lock entries accumulated across regenerations. This is how schemas/.lock.json came to carry entries for provider versions the project no longer referenced. This change removes the .#generate app and makes .#build-crossplane the single schema generation entrypoint, since crossplane project build already regenerates both halves of the tree. The build first deletes schemas/python/ and schemas/.lock.json wholesale, so the regenerated output reflects only the current XRDs and dependencies. CONTRIBUTING.md and the dev shell help are updated to point at .#build-crossplane. Signed-off-by: Nic Cope <nicc@rk0n.org>
Modelplane's provider dependencies were pulled from the Upbound registry (xpkg.upbound.io/upbound), and provider-helm and provider-kubernetes used a >= range rather than an exact version. The ranges let the resolved version drift, so two checkouts could build against different provider versions. Pinning to exact versions on the Upbound registry needs care. Per Upbound's package policies, a downstream main release stays available for 12 months, but once a minor line has a newer minor, its remaining patch releases are backports that require a paid subscription. Pinning to a downstream-only backport such as provider-kubernetes v1.2.6 or provider-aws-efs v2.5.3 would point anonymous users at an artifact they can't pull. The versions that exist upstream on crossplane-contrib are retained on the Upbound registry for 12+ months, so pinning to the latest upstream release of each provider keeps the artifacts pullable without a subscription while still getting the signed, SBOM-bearing downstream builds. This pins every provider to that version: the AWS and GCP family providers (including provider-aws-efs) to v2.6.0, provider-helm to v1.2.0, and provider-kubernetes to v1.2.1. The generated schemas and schemas/.lock.json are regenerated against the pinned dependencies. Signed-off-by: Nic Cope <nicc@rk0n.org>
dennis-upbound
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of your changes
Modelplane's provider dependencies were pulled from the Upbound registry (
xpkg.upbound.io/upbound), andprovider-helmandprovider-kubernetesused a>=range rather than an exact version. The ranges let the resolved version drift, so two checkouts could build against different provider versions.Pinning to exact versions on the Upbound registry takes some care. Per Upbound's package policies, a downstream main release stays available for 12 months, but once a minor line has a newer minor, its remaining patch releases are backports that require a paid subscription and pull secrets. So pinning to a downstream-only backport like
provider-kubernetes:v1.2.6orprovider-aws-efs:v2.5.3would point anonymous users at an artifact they can't pull.The versions that exist upstream on
crossplane-contribare retained on the Upbound registry for 12+ months, so pinning each provider to its latest upstream release keeps the artifacts pullable without a subscription while still getting the signed, SBOM-bearing downstream builds. This pins the AWS and GCP family providers (includingprovider-aws-efs) tov2.6.0,provider-helmtov1.2.0, andprovider-kubernetestov1.2.1.The preparatory commit fixes a related problem in schema generation. There were two entrypoints:
nix run .#generateregenerated only the dependency half ofschemas/python/, while the XRD-derived models undermodels/ai/are written bycrossplane project build(nix run .#build-crossplane). Running.#generatealone produced an incomplete tree. Both generators were also additive, never removing models or lock entries for dependencies that had been dropped or renamed, which is howschemas/.lock.jsonaccumulated entries for unused provider versions. That commit removes.#generate, makes.#build-crossplanethe single entrypoint, and has it deleteschemas/before regenerating so the output reflects only the current XRDs and dependencies.The bulk of the diff is the regenerated
schemas/python/tree andschemas/.lock.json.I have:
nix flake check(or./nix.sh flake check) and made sure it passes.Added or updated tests covering any composition function changes.No composition function changes.git commit -s.