Skip to content

Harden release build isolation#32

Merged
krotname merged 1 commit into
masterfrom
codex/fix-release-build-hash-lock-issue
Jun 25, 2026
Merged

Harden release build isolation#32
krotname merged 1 commit into
masterfrom
codex/fix-release-build-hash-lock-issue

Conversation

@krotname

Copy link
Copy Markdown
Owner

Motivation

  • Prevent a PEP 517 build-time supply-chain risk where the release job ran python -m build in isolated mode and therefore could install unpinned build-backend dependencies (setuptools, wheel) outside the hash-locked environment.
  • Ensure artifacts are produced using build backend versions and hashes already installed under --require-hashes so checksums and attestations cover the final, locked build output.

Description

  • Update the release workflow in .github/workflows/release.yml to run the build with python -m build --sdist --wheel --no-isolation so the job uses the pre-installed, hash-locked environment.
  • Pin the PEP 517 build-system requirements in pyproject.toml to exact versions setuptools==82.0.1 and wheel==0.47.0.
  • Add hashed setuptools==82.0.1 and wheel==0.47.0 entries to requirements-dev.lock so python -m pip install --require-hashes -r requirements-dev.lock installs exact, hashed build-backend wheels prior to the non-isolated build.

Testing

  • Verified pyproject.toml parses with tomllib using python - <<'PY' ... tomllib.load(...) ... PY, which succeeded.
  • Asserted the release workflow contains both the hashed install step and the guarded build invocation using python -m build --no-isolation, which succeeded.
  • Attempted python -m pytest in the container, but the run failed due to test runner configuration requiring pytest-cov options that are not available in this environment, so end-to-end test execution was not completed.

Codex Task

@krotname krotname enabled auto-merge (squash) June 25, 2026 05:26
@krotname krotname disabled auto-merge June 25, 2026 05:26
@krotname krotname merged commit f81f9f0 into master Jun 25, 2026
13 checks passed
@krotname krotname deleted the codex/fix-release-build-hash-lock-issue branch June 25, 2026 05:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant