Skip to content

Harden release packaging signals#28

Merged
krotname merged 3 commits into
masterfrom
feature/public-repo-polish-20260621
Jun 21, 2026
Merged

Harden release packaging signals#28
krotname merged 3 commits into
masterfrom
feature/public-repo-polish-20260621

Conversation

@krotname

Copy link
Copy Markdown
Owner

Summary

  • convert the release workflow into a package-and-attest flow for wheel/sdist assets
  • publish SHA256SUMS and GitHub provenance attestations on tag releases
  • document dependency locks, Docker digest pinning, and release verification

Validation

  • ruff check src tests
  • mypy src
  • pytest
  • python -m build --sdist --wheel
  • workflow YAML parse and bash syntax checks
  • git diff --check

@krotname krotname marked this pull request as ready for review June 21, 2026 01:46
@krotname krotname merged commit 759215f into master Jun 21, 2026
12 checks passed
@krotname krotname deleted the feature/public-repo-polish-20260621 branch June 21, 2026 01:48

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0689f93610

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

- name: Build wheel and source distribution
run: |
rm -rf build dist ./*.egg-info src/*.egg-info
python -m build --sdist --wheel

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin the backend used for attested release builds

On tag-release runs, this still builds the checksummed/attested packages with unpinned tooling: PyPA build's CLI docs say isolated builds "installs the build dependencies specified in your pyproject.toml", and this repo's pyproject.toml asks for setuptools>=75.0.0 and wheel while neither is installed from the hash-locked requirements above. That means future releases can be produced by different build backend versions despite the new lock-file policy; install locked backend deps and run with --no-isolation or otherwise constrain the build dependencies.

Useful? React with 👍 / 👎.

- name: Build wheel and source distribution
run: |
rm -rf build dist ./*.egg-info src/*.egg-info
python -m build --sdist --wheel

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Build the release wheel from the sdist

For release tags, passing both --sdist and --wheel disables build's default two-step flow; the PyPA docs note this form "builds both directly from source" instead of building the wheel from the extracted sdist. That can upload and attest a wheel that passed CI while the accompanying sdist is missing files or otherwise not buildable by users, so prefer the default python -m build flow (combined with the locked/no-isolation fix) or explicitly test rebuilding from the generated sdist before publishing.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant