Use pinned build dpendencies in the release workflow

sbidoul · sbidoul · commit 2c5ff943b2f8 · 2025-01-19T11:26:38.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,12 +12,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.x"
       - name: Build a binary wheel and a source tarball
-        run: pipx run build
+        run: |
+          python3 -m venv build-env
+          build-env/bin/python -m pip install --no-deps --require-hashes -r build-requirements.txt
+          build-env/bin/python -m build --no-isolation
       - name: Store the distribution packages
         uses: actions/upload-artifact@v4
         with:
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -5,6 +5,9 @@ include README.rst
 include SECURITY.md
 include pyproject.toml
 
+include build-requirements.in
+include build-requirements.txt
+
 include src/pip/_vendor/README.rst
 include src/pip/_vendor/vendor.txt
 recursive-include  src/pip/_vendor *LICENSE*
diff --git a/build-requirements.in b/build-requirements.in
@@ -0,0 +1,2 @@
+build
+setuptools
diff --git a/build-requirements.txt b/build-requirements.txt
@@ -0,0 +1,24 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --allow-unsafe --generate-hashes build-requirements.in
+#
+build==1.2.2.post1 \
+    --hash=sha256:1d61c0887fa860c01971625baae8bdd338e517b836a2f70dd1f7aa3a6b2fc5b5 \
+    --hash=sha256:b36993e92ca9375a219c99e606a122ff365a760a2d4bba0caa09bd5278b608b7
+    # via -r build-requirements.in
+packaging==24.2 \
+    --hash=sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759 \
+    --hash=sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f
+    # via build
+pyproject-hooks==1.2.0 \
+    --hash=sha256:1e859bd5c40fae9448642dd871adf459e5e2084186e8d2c2a79a824c970da1f8 \
+    --hash=sha256:9e5c6bfa8dcc30091c74b0cf803c81fdd29d94f01992a7707bc97babb1141913
+    # via build
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==75.8.0 \
+    --hash=sha256:c5afc8f407c626b8313a86e10311dd3f661c6cd9c09d4bf8c15c0e11f9f2b0e6 \
+    --hash=sha256:e3982f444617239225d675215d51f6ba05f845d4eec313da4418fdbb56fb27e3
+    # via -r build-requirements.in
