From abdf0ca54a5cda0b1a8731fb009968e1213349ec Mon Sep 17 00:00:00 2001
From: "Danilo M." <danix@danix.xyz>
Date: Fri, 26 Jun 2026 12:07:06 +0200
Subject: mkwheels: download wheels and emit hashed requirements.txt

---
 mkwheels | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/mkwheels b/mkwheels
index bbacb9b..6e14e84 100755
--- a/mkwheels
+++ b/mkwheels
@@ -74,3 +74,34 @@ if [ -z "$epoch" ]; then
     echo "warning: epoch not given; using PyPI upload time $iso (epoch $epoch)" >&2
 fi
 export SOURCE_DATE_EPOCH="$epoch"
+
+# Throwaway workdir, cleaned on exit.
+work=$(mktemp -d)
+trap 'rm -rf "$work"' EXIT
+
+wheels="$work/wheels"
+mkdir -p "$wheels"
+
+# Isolated build env so host pip config / installed pkgs don't leak in.
+python3 -m venv "$work/venv"
+"$work/venv/bin/pip" install --quiet --upgrade pip wheel >/dev/null
+
+# Resolve the full tree into $wheels (sdists are built to wheels).
+"$work/venv/bin/pip" download "$pkg==$ver" --dest "$wheels"
+
+# Emit a pinned, hashed requirements.txt from the downloaded files. Each
+# distribution is pinned to its version with a sha256 hash per file.
+req="$work/requirements.txt"
+: > "$req"
+for f in "$wheels"/*; do
+    base=$(basename "$f")
+    # name-version from the wheel/sdist filename: split on first two '-' fields
+    # wheels: name-version-...; sdists: name-version.tar.gz
+    name=${base%%-*}
+    rest=${base#*-}
+    version=${rest%%-*}
+    version=${version%.tar.gz}
+    hash=$(python3 -c "import hashlib,sys;print(hashlib.sha256(open(sys.argv[1],'rb').read()).hexdigest())" "$f")
+    printf '%s==%s --hash=sha256:%s\n' "$name" "$version" "$hash" >> "$req"
+done
+sort -o "$req" "$req"
-- 
cgit v1.2.3