mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
build: add workaround to auto-update build system
Dependabot does not support `build-system.requires`. To get reproducibility and auto-updates, we pin the version in a regular requirements file and use it as constraint during build. fixes: #2529 upstream issue: dependabot/dependabot-core#8465 h/t @jku Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This commit is contained in:
parent
7c5f5d2517
commit
dd9b5e0da2
3 changed files with 6 additions and 3 deletions
2
.github/workflows/cd.yml
vendored
2
.github/workflows/cd.yml
vendored
|
|
@ -31,7 +31,7 @@ jobs:
|
|||
run: python3 -m pip install --constraint requirements/build.txt build
|
||||
|
||||
- name: Build binary wheel and source tarball
|
||||
run: python3 -m build --sdist --wheel --outdir dist/ .
|
||||
run: PIP_CONSTRAINT=requirements/build.txt python3 -m build --sdist --wheel --outdir dist/ .
|
||||
|
||||
- name: Store build artifacts
|
||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
[build-system]
|
||||
# hatchling pinned for reproducibility: version should be kept up-to-date
|
||||
requires = ["hatchling==1.20.0"]
|
||||
# Dependabot cannot do `build-system.requires` (dependabot/dependabot-core#8465)
|
||||
# workaround to get reproducibility and auto-updates:
|
||||
# PIP_CONSTRAINT=requirements/build.txt python3 -m build ...
|
||||
requires = ["hatchling"]
|
||||
build-backend = "hatchling.build"
|
||||
|
||||
[project]
|
||||
|
|
|
|||
|
|
@ -2,3 +2,4 @@
|
|||
# during CI and CD Github workflows
|
||||
build==1.0.3
|
||||
tox==4.1.2
|
||||
hatchling==1.20.0
|
||||
|
|
|
|||
Loading…
Reference in a new issue