You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -266,7 +267,7 @@ In order to build a distribution of your package locally instead of publishing i
266
267
make dist
267
268
```
268
269
269
-
This builds a source package and a binary distribution, and stores the files in your local `dist/` folder.
270
+
This builds a source package ([sdist](https://packaging.python.org/en/latest/discussions/package-formats/#what-is-a-source-distribution)) and a binary distribution ([wheel](https://packaging.python.org/en/latest/discussions/package-formats/#what-is-a-wheel)), and stores the files in your local `dist/` folder.
270
271
271
272
You can also generate a changelog and bump the version manually and locally using commitizen (already installed as a dev dependency), for example:
272
273
@@ -275,6 +276,26 @@ cz changelog
275
276
cz bump
276
277
```
277
278
279
+
## Building from a source distribution package
280
+
281
+
The source distribution package ([sdist](https://packaging.python.org/en/latest/discussions/package-formats/#what-is-a-source-distribution)) contains everything needed in order to check, test, and build a binary distribution ([wheel](https://packaging.python.org/en/latest/discussions/package-formats/#what-is-a-wheel)) and its documentation; that is particulalry useful for third-party packaging services that build their own software distribution packages using custom processes.
282
+
283
+
To build a everything from a source distribution package, simply follow these steps:
284
+
285
+
```bash
286
+
tar zxvf package.tar.gz # Unpack the tar file.
287
+
cd package/
288
+
git init # We need this to be a Git repository to run checks.
289
+
```
290
+
291
+
We do need to initialize the package folder as a Git repository to ensure the Makefile is able to call various checkers via hooks. Once done, we can use `make` as before:
292
+
293
+
```bash
294
+
SKIP=check-hooks-apply,check-useless-excludes,actionlint make dist
295
+
```
296
+
297
+
Note that we skip Git hooks that are unnecessary when building from the source distribution. As above, this builds both the source package and a binary distribution, and stores them in the `dist/` folder. In addition, as expected, setting the `SOURCE_DATE_EPOCH` environment variable to the build epoch value of the original sdist and wheel build results in the bit-exact same binary distribution package!
298
+
278
299
## Build integrity using SLSA framework
279
300
280
301
The build process in this repository follows the requirements in the [SLSA framework](https://slsa.dev/) to be compliant at level 3. An important aspect of SLSA to improve the supply chain security posture is to generate a verifiable provenance for the build pipeline. Such a provenance can be used to verify the builder and let the consumers check the materials and configurations used while building an artifact. In this repository we use the [generic provenance generator reusable workflow](https://github.com/slsa-framework/slsa-github-generator) to generate a provenance that can attest to the following artifacts in every release:
0 commit comments