build: add workaround to auto-update build system

Dependabot does not support `build-system.requires`. To get
reproducibility and auto-updates, we pin the version in a regular
requirements file and use it as constraint during build.

fixes: #2529
upstream issue: dependabot/dependabot-core#8465
h/t @jku

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This commit is contained in:
Lukas Puehringer 2023-12-13 11:21:31 +01:00
parent 7c5f5d2517
commit dd9b5e0da2
3 changed files with 6 additions and 3 deletions

View file

@ -31,7 +31,7 @@ jobs:
run: python3 -m pip install --constraint requirements/build.txt build
- name: Build binary wheel and source tarball
run: python3 -m build --sdist --wheel --outdir dist/ .
run: PIP_CONSTRAINT=requirements/build.txt python3 -m build --sdist --wheel --outdir dist/ .
- name: Store build artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3

View file

@ -1,6 +1,8 @@
[build-system]
# hatchling pinned for reproducibility: version should be kept up-to-date
requires = ["hatchling==1.20.0"]
# Dependabot cannot do `build-system.requires` (dependabot/dependabot-core#8465)
# workaround to get reproducibility and auto-updates:
# PIP_CONSTRAINT=requirements/build.txt python3 -m build ...
requires = ["hatchling"]
build-backend = "hatchling.build"
[project]

View file

@ -2,3 +2,4 @@
# during CI and CD Github workflows
build==1.0.3
tox==4.1.2
hatchling==1.20.0