Harden release packaging signals#28
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0689f93610
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Build wheel and source distribution | ||
| run: | | ||
| rm -rf build dist ./*.egg-info src/*.egg-info | ||
| python -m build --sdist --wheel |
There was a problem hiding this comment.
Pin the backend used for attested release builds
On tag-release runs, this still builds the checksummed/attested packages with unpinned tooling: PyPA build's CLI docs say isolated builds "installs the build dependencies specified in your pyproject.toml", and this repo's pyproject.toml asks for setuptools>=75.0.0 and wheel while neither is installed from the hash-locked requirements above. That means future releases can be produced by different build backend versions despite the new lock-file policy; install locked backend deps and run with --no-isolation or otherwise constrain the build dependencies.
Useful? React with 👍 / 👎.
| - name: Build wheel and source distribution | ||
| run: | | ||
| rm -rf build dist ./*.egg-info src/*.egg-info | ||
| python -m build --sdist --wheel |
There was a problem hiding this comment.
Build the release wheel from the sdist
For release tags, passing both --sdist and --wheel disables build's default two-step flow; the PyPA docs note this form "builds both directly from source" instead of building the wheel from the extracted sdist. That can upload and attest a wheel that passed CI while the accompanying sdist is missing files or otherwise not buildable by users, so prefer the default python -m build flow (combined with the locked/no-isolation fix) or explicitly test rebuilding from the generated sdist before publishing.
Useful? React with 👍 / 👎.
Summary
Validation
ruff check src testsmypy srcpytestpython -m build --sdist --wheelgit diff --check