Upload verification files to GitHub Releases + fix PEP 668 issue

oberstet · oberstet · commit 333b05a902e6 · 2025-10-20T02:39:28.000+02:00
This commit completes the end-to-end chain-of-custody security architecture and fixes a PEP 668 error that was blocking macOS builds. ## Changes: 1. **Upload verification files to GitHub Releases** (Issue #1716) - Modified release.yml to copy verification files with prefixes: * wheels-CHECKSUMS.sha256, wheels-VALIDATION.txt * docker-CHECKSUMS.sha256, docker-VALIDATION.txt, docker-build-info.txt * arm64-CHECKSUMS.sha256, arm64-VALIDATION.txt, arm64-build-info.txt * autobahn-*.verify.txt (source distribution verification) - Verification files provide transparency for supply chain integrity - Files uploaded to GitHub Releases alongside wheels - Files excluded from PyPI uploads (PyPI only accepts .whl/.tar.gz) 2. **Fix PEP 668 externally-managed-environment error** - Added --break-system-packages flag to all pip install commands - Applies to: wheels.yml, wheels-docker.yml, wheels-arm64.yml, release.yml - Safe for ephemeral CI runners that are destroyed after each run - Fixes error: "externally-managed-environment" on macOS runners ## Security Architecture (Complete): Build → Validate → SHA256 → Upload Artifacts ↓ ↓ ↓ ↓ .whl VALIDATION CHECKSUMS (together) ↓ Download ↓ Re-verify SHA256 ↓ GitHub Release + PyPI (with verification (wheels only) files for audit) All three wheel-building workflows now have complete chain-of-custody: - wheels (Linux/macOS/Windows) - wheels-docker (manylinux x86_64) - wheels-arm64 (manylinux ARM64)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -520,22 +520,51 @@ jobs:
           echo "==> Consolidating all artifacts into unified release directory..."
           mkdir -p release-artifacts
 
-          # Copy wheels from wheels workflow
+          # Copy wheels and verification files from wheels workflow
           if [ -d "dist" ]; then
             echo "Copying wheels workflow artifacts..."
             find dist -type f \( -name "*.whl" -o -name "*.tar.gz" \) -exec cp {} release-artifacts/ \;
+            # Copy verification escort files with "wheels-" prefix to avoid naming collisions
+            if [ -f "dist/CHECKSUMS.sha256" ]; then
+              cp dist/CHECKSUMS.sha256 release-artifacts/wheels-CHECKSUMS.sha256
+            fi
+            if [ -f "dist/VALIDATION.txt" ]; then
+              cp dist/VALIDATION.txt release-artifacts/wheels-VALIDATION.txt
+            fi
+            # Copy source distribution verification reports (already have unique names)
+            find dist -type f -name "*.verify.txt" -exec cp {} release-artifacts/ \; 2>/dev/null || true
           fi
 
-          # Copy wheels from wheels-docker workflow
+          # Copy wheels and verification files from wheels-docker workflow
           if [ -d "wheelhouse" ]; then
             echo "Copying wheels-docker workflow artifacts..."
             find wheelhouse -type f \( -name "*.whl" -o -name "*.tar.gz" \) -exec cp {} release-artifacts/ \;
+            # Copy verification escort files with "docker-" prefix to avoid naming collisions
+            if [ -f "wheelhouse/CHECKSUMS.sha256" ]; then
+              cp wheelhouse/CHECKSUMS.sha256 release-artifacts/docker-CHECKSUMS.sha256
+            fi
+            if [ -f "wheelhouse/VALIDATION.txt" ]; then
+              cp wheelhouse/VALIDATION.txt release-artifacts/docker-VALIDATION.txt
+            fi
+            if [ -f "wheelhouse/build-info.txt" ]; then
+              cp wheelhouse/build-info.txt release-artifacts/docker-build-info.txt
+            fi
           fi
 
-          # Copy ARM64 wheels from wheels-arm64 workflow
+          # Copy ARM64 wheels and verification files from wheels-arm64 workflow
           if [ -d "wheelhouse-arm64" ]; then
             echo "Copying wheels-arm64 workflow artifacts..."
             find wheelhouse-arm64 -type f \( -name "*.whl" -o -name "*.tar.gz" \) -exec cp {} release-artifacts/ \;
+            # Copy verification escort files with "arm64-" prefix to avoid naming collisions
+            if [ -f "wheelhouse-arm64/CHECKSUMS.sha256" ]; then
+              cp wheelhouse-arm64/CHECKSUMS.sha256 release-artifacts/arm64-CHECKSUMS.sha256
+            fi
+            if [ -f "wheelhouse-arm64/VALIDATION.txt" ]; then
+              cp wheelhouse-arm64/VALIDATION.txt release-artifacts/arm64-VALIDATION.txt
+            fi
+            if [ -f "wheelhouse-arm64/build-info.txt" ]; then
+              cp wheelhouse-arm64/build-info.txt release-artifacts/arm64-build-info.txt
+            fi
           fi
 
           # Copy wstest conformance results
@@ -564,6 +593,11 @@ jobs:
           echo ""
           echo "Wheels: $(find release-artifacts -name "*.whl" | wc -l)"
           echo "Source dists: $(find release-artifacts -name "*.tar.gz" ! -name "flatbuffers-schema.tar.gz" ! -name "autobahn-python-websocket-conformance-*.tar.gz" | wc -l)"
+          echo "Verification files (chain-of-custody):"
+          echo "  - SHA256 checksums: $(find release-artifacts -name "*CHECKSUMS.sha256" | wc -l)"
+          echo "  - Build validation: $(find release-artifacts -name "*VALIDATION.txt" | wc -l)"
+          echo "  - Source verification: $(find release-artifacts -name "*.verify.txt" | wc -l)"
+          echo "  - Build metadata: $(find release-artifacts -name "*build-info.txt" | wc -l)"
           echo "Wstest reports: $(find release-artifacts -name "*wstest*" | wc -l)"
           echo "FlatBuffers schema: $(ls release-artifacts/flatbuffers-schema.tar.gz 2>/dev/null && echo 'packaged' || echo 'not found')"
           echo "Conformance reports: $(ls release-artifacts/autobahn-python-websocket-conformance-*.tar.gz 2>/dev/null && echo 'packaged' || echo 'not found')"
@@ -580,8 +614,9 @@ jobs:
           echo ""
           echo "Installing twine for validation..."
           # Install both packaging and twine from master for PEP 639 (Core Metadata 2.4) support
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI)
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           echo ""
 
           echo "==> Validation environment:"
@@ -1146,22 +1181,51 @@ jobs:
           echo "==> Consolidating all artifacts into unified release directory..."
           mkdir -p release-artifacts
 
-          # Copy wheels from wheels workflow
+          # Copy wheels and verification files from wheels workflow
           if [ -d "dist" ]; then
             echo "Copying wheels workflow artifacts..."
             find dist -type f \( -name "*.whl" -o -name "*.tar.gz" \) -exec cp {} release-artifacts/ \;
+            # Copy verification escort files with "wheels-" prefix to avoid naming collisions
+            if [ -f "dist/CHECKSUMS.sha256" ]; then
+              cp dist/CHECKSUMS.sha256 release-artifacts/wheels-CHECKSUMS.sha256
+            fi
+            if [ -f "dist/VALIDATION.txt" ]; then
+              cp dist/VALIDATION.txt release-artifacts/wheels-VALIDATION.txt
+            fi
+            # Copy source distribution verification reports (already have unique names)
+            find dist -type f -name "*.verify.txt" -exec cp {} release-artifacts/ \; 2>/dev/null || true
           fi
 
-          # Copy wheels from wheels-docker workflow
+          # Copy wheels and verification files from wheels-docker workflow
           if [ -d "wheelhouse" ]; then
             echo "Copying wheels-docker workflow artifacts..."
             find wheelhouse -type f \( -name "*.whl" -o -name "*.tar.gz" \) -exec cp {} release-artifacts/ \;
+            # Copy verification escort files with "docker-" prefix to avoid naming collisions
+            if [ -f "wheelhouse/CHECKSUMS.sha256" ]; then
+              cp wheelhouse/CHECKSUMS.sha256 release-artifacts/docker-CHECKSUMS.sha256
+            fi
+            if [ -f "wheelhouse/VALIDATION.txt" ]; then
+              cp wheelhouse/VALIDATION.txt release-artifacts/docker-VALIDATION.txt
+            fi
+            if [ -f "wheelhouse/build-info.txt" ]; then
+              cp wheelhouse/build-info.txt release-artifacts/docker-build-info.txt
+            fi
           fi
 
-          # Copy ARM64 wheels from wheels-arm64 workflow
+          # Copy ARM64 wheels and verification files from wheels-arm64 workflow
           if [ -d "wheelhouse-arm64" ]; then
             echo "Copying wheels-arm64 workflow artifacts..."
             find wheelhouse-arm64 -type f \( -name "*.whl" -o -name "*.tar.gz" \) -exec cp {} release-artifacts/ \;
+            # Copy verification escort files with "arm64-" prefix to avoid naming collisions
+            if [ -f "wheelhouse-arm64/CHECKSUMS.sha256" ]; then
+              cp wheelhouse-arm64/CHECKSUMS.sha256 release-artifacts/arm64-CHECKSUMS.sha256
+            fi
+            if [ -f "wheelhouse-arm64/VALIDATION.txt" ]; then
+              cp wheelhouse-arm64/VALIDATION.txt release-artifacts/arm64-VALIDATION.txt
+            fi
+            if [ -f "wheelhouse-arm64/build-info.txt" ]; then
+              cp wheelhouse-arm64/build-info.txt release-artifacts/arm64-build-info.txt
+            fi
           fi
 
           # Copy wstest conformance results
@@ -1190,6 +1254,11 @@ jobs:
           echo ""
           echo "Wheels: $(find release-artifacts -name "*.whl" | wc -l)"
           echo "Source dists: $(find release-artifacts -name "*.tar.gz" ! -name "flatbuffers-schema.tar.gz" ! -name "autobahn-python-websocket-conformance-*.tar.gz" | wc -l)"
+          echo "Verification files (chain-of-custody):"
+          echo "  - SHA256 checksums: $(find release-artifacts -name "*CHECKSUMS.sha256" | wc -l)"
+          echo "  - Build validation: $(find release-artifacts -name "*VALIDATION.txt" | wc -l)"
+          echo "  - Source verification: $(find release-artifacts -name "*.verify.txt" | wc -l)"
+          echo "  - Build metadata: $(find release-artifacts -name "*build-info.txt" | wc -l)"
           echo "Wstest reports: $(find release-artifacts -name "*wstest*" | wc -l)"
           echo "FlatBuffers schema: $(ls release-artifacts/flatbuffers-schema.tar.gz 2>/dev/null && echo 'packaged' || echo 'not found')"
           echo "Conformance reports: $(ls release-artifacts/autobahn-python-websocket-conformance-*.tar.gz 2>/dev/null && echo 'packaged' || echo 'not found')"
@@ -1206,8 +1275,9 @@ jobs:
           echo ""
           echo "Installing twine for validation..."
           # Install both packaging and twine from master for PEP 639 (Core Metadata 2.4) support
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI)
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           echo ""
 
           echo "==> Validation environment:"
@@ -1792,8 +1862,9 @@ jobs:
           echo "Last chance to catch corrupted packages before PyPI upload."
           echo ""
           # Install both packaging and twine from master for PEP 639 (Core Metadata 2.4) support
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI)
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           echo ""
 
           echo "==> Validation environment:"
@@ -1885,8 +1956,9 @@ jobs:
         run: |
           echo "==> Publishing to PyPI using twine from master..."
           # Install bleeding-edge packaging and twine for PEP 639 support
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI)
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
 
           echo "Upload environment:"
           echo "twine: $(twine --version)"
diff --git a/.github/workflows/wheels-arm64.yml b/.github/workflows/wheels-arm64.yml
@@ -201,8 +201,9 @@ jobs:
           echo ""
           echo "Installing twine for validation..."
           # Install both packaging and twine from master for PEP 639 (Core Metadata 2.4) support
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI)
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           echo ""
 
           echo "==> Validation environment:"
diff --git a/.github/workflows/wheels-docker.yml b/.github/workflows/wheels-docker.yml
@@ -257,8 +257,9 @@ jobs:
           # Ensure pip is available for the Python being used
           python3 -m ensurepip --upgrade 2>/dev/null || true
           # Install both packaging and twine from master for PEP 639 (Core Metadata 2.4) support
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI containers)
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           echo ""
 
           echo "==> Validation environment:"
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -216,8 +216,9 @@ jobs:
           echo "======================================================================"
           echo ""
           echo "Installing twine for validation..."
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI)
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           echo ""
 
           echo "==> Validation environment:"
@@ -391,8 +392,9 @@ jobs:
           echo "==> Validating Wheel Integrity (macOS)"
           echo "======================================================================"
           echo ""
-          python3 -m pip install git+https://github.com/pypa/packaging.git
-          python3 -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages since this is an ephemeral CI runner
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python3 -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           echo ""
 
           VALIDATION_FILE="dist/VALIDATION.txt"
@@ -488,8 +490,9 @@ jobs:
           Write-Host "==> Validating Wheel Integrity (Windows)"
           Write-Host "======================================================================"
           Write-Host ""
-          python -m pip install git+https://github.com/pypa/packaging.git
-          python -m pip install git+https://github.com/pypa/twine.git
+          # Use --break-system-packages for consistency (safe in CI)
+          python -m pip install --break-system-packages git+https://github.com/pypa/packaging.git
+          python -m pip install --break-system-packages git+https://github.com/pypa/twine.git
           Write-Host ""
 
           $validationFile = "dist\VALIDATION.txt"
