Org-wide version delivery: fix Renovate + release-please, then nix-darwin rebuild

[JacobPEvans-personal]

Org-wide version delivery: Renovate + release-please → nix-darwin rebuild

Goal

Get nix-darwin onto the latest main of every dryvist dependency and
darwin-rebuild switch this machine — gated behind a full org-wide fix of
the two version-delivery systems (Renovate + release-please), both centralized
in dryvist/.github and inherited org-wide, with governance consolidated into
this repo (terraform-github).

Tracking issue for a multi-session program. Child PRs link back here.

Verified current state

• release-please broken on 16 repos: reusable workflow mints a GitHub App
  token (App 3509510 = JacobPEvans-github-actions[bot]) that 404s because the
  App is not installed on the dryvist org (installations don't follow repo
  transfers). Only nix-claude-code works (app-free pattern).
• Renovate runs (Mend app) but canonical preset lives in
  JacobPEvans-personal/.github (dryvist/.github only re-extends it), refs are
  fragmented, and 15 repos have no Renovate config.
• Governance: terraform-github (canonical) vs .github-tofu (same-day
  scaffold, collides on org ruleset 15555419).
• nix-darwin inputs track main, 0–6 commits stale — one nix flake update
  brings it current; not dependent on release-please.

Hard dependencies on @JacobPEvans-personal

• A — Install GitHub App 3509510 (JacobPEvans-github-actions) on the
  dryvist org, All repositories, perms Contents: write +
  Pull requests: write. Root fix for all 16 release-please failures; gates
  the final rebuild.
• B — Apply terraform-github once governance PRs land:
  aws-vault exec tf-github -- terragrunt apply with an org-admin token.

Phases

• Phase 1 — Governance consolidation (this repo): port .github-tofu's
  per-repo-settings module, expand inventory to all non-archived dryvist repos,
  add github_repository_file enforcement for the Renovate + release-please
  pointer files. Retire .github-tofu before it applies.
• Phase 2 — Renovate centralization: define canonical preset in
  dryvist/.github; repoint all configured repos to local>dryvist/.github;
  add pointer renovate.json to the 15 bare repos.
• Phase 3 — release-please centralization + fix: canonical reusable
  workflow in dryvist/.github; repoint all release-candidate callers; verify
  green after App install.
• Phase 4 — nix-darwin → latest: land pending chain PRs;
  nix flake update; merge.
• Phase 5 — Rebuild (gated on 1–4 green): darwin-rebuild switch,
  resolve every warning to zero.

[JacobPEvans-personal]

Status update + corrected App identity

Correction to Dependency A

The release-please App to install is 3923580 — the dedicated org release
App whose ID you placed in the GH_ACTION_RELEASE_PLEASE_APP_ID org variable.
My earlier reference to App 3509510 (JacobPEvans-github-actions) is
superseded: that's the legacy app behind the old cross-account reusable.
The new org-native path uses 3923580 + the GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY
org secret.

Action: install App 3923580 on the dryvist org → All repositories →
permissions Contents: write, Pull requests: write (Issues: write too,
for release labels). Confirm the GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY org
secret is scoped to all repositories.

Progress

• ✅ Keystone merged: dryvist/.github PR #16 — org-native _release-please.yml
  reusable (org App creds, no cross-account dep, no workarounds).
• ⏳ dryvist/nix-ai PR #859 — first caller repointed to the new reusable; CI
  running. Merging it triggers a release-please run that validates whether App
  3923580 is installed: green = installed (propagate to the other 15 repos),
  404 = still needs installing.
• ⏭ Remaining 15 release-candidate repos: caller repoints queued behind nix-ai
  validation.