diff options
| -rwxr-xr-x | mkwheels | 31 |
1 files changed, 31 insertions, 0 deletions
@@ -74,3 +74,34 @@ if [ -z "$epoch" ]; then echo "warning: epoch not given; using PyPI upload time $iso (epoch $epoch)" >&2 fi export SOURCE_DATE_EPOCH="$epoch" + +# Throwaway workdir, cleaned on exit. +work=$(mktemp -d) +trap 'rm -rf "$work"' EXIT + +wheels="$work/wheels" +mkdir -p "$wheels" + +# Isolated build env so host pip config / installed pkgs don't leak in. +python3 -m venv "$work/venv" +"$work/venv/bin/pip" install --quiet --upgrade pip wheel >/dev/null + +# Resolve the full tree into $wheels (sdists are built to wheels). +"$work/venv/bin/pip" download "$pkg==$ver" --dest "$wheels" + +# Emit a pinned, hashed requirements.txt from the downloaded files. Each +# distribution is pinned to its version with a sha256 hash per file. +req="$work/requirements.txt" +: > "$req" +for f in "$wheels"/*; do + base=$(basename "$f") + # name-version from the wheel/sdist filename: split on first two '-' fields + # wheels: name-version-...; sdists: name-version.tar.gz + name=${base%%-*} + rest=${base#*-} + version=${rest%%-*} + version=${version%.tar.gz} + hash=$(python3 -c "import hashlib,sys;print(hashlib.sha256(open(sys.argv[1],'rb').read()).hexdigest())" "$f") + printf '%s==%s --hash=sha256:%s\n' "$name" "$version" "$hash" >> "$req" +done +sort -o "$req" "$req" |