Use new create package action with attestation (forked repo action)

.github/workflows/ci.yml

@@ -5,10 +5,15 @@ on:
     branches:
       - main
   workflow_call:
+    inputs:
+      attest-package:
+        description: "Create GitHub provenance attestation for the package."
+        default: "false"
+        type: string
     outputs:
-      artifact-name:
-        description: "Name of the uploaded artifact; use for artifact retrieval."
-        value: ${{ jobs.package.outputs.artifact-name }}
+      artifact-basename:
+        description: "Base name of the uploaded artifacts; use for artifact retrieval."
+        value: ${{ jobs.package.outputs.artifact-basename }}
 
 env:
   min_python_version: "3.8"
@@ -38,12 +43,11 @@ jobs:
       tox-source: "./core[dev]"
 
   package:
-    name: Python package
-    uses: beeware/.github/.github/workflows/python-package-create.yml@main
-    with:
-      tox-source: "./core[dev]"
-      build-subdirectory: ${{ matrix.subdir }}
-      distribution-path: "*/dist/*"
+    name: Package Toga
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         subdir:
@@ -58,6 +62,11 @@ jobs:
         - "textual"
         - "web"
         - "winforms"
+#    uses: beeware/.github/.github/workflows/python-package-create.yml@main
+    uses: rmartin16/.github-beeware/.github/workflows/python-package-create.yml@hynek-build
+    with:
+      build-subdirectory: ${{ matrix.subdir }}
+      attest: ${{ inputs.attest-package }}
 
   core:
     name: Test core
@@ -94,30 +103,42 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/[email protected]
+      with:
+        fetch-depth: 0
+
+    - name: Checkout beeware/.github
+      uses: actions/[email protected]
+      with:
+        repository: beeware/.github
+        path: .github-beeware
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/[email protected]
       with:
         python-version: ${{ matrix.python-version }}
 
-    - name: Install dev Dependencies
+    - name: Install Tox
+      working-directory: ./.github-beeware/scripts
       run: |
-        # We don't actually want to install toga-core;
-        # we just want the dev extras so we have a known version of tox and coverage
-        python -m pip install ./core[dev]
+        python -m pip install --upgrade pip
+        python -m pip install --upgrade setuptools build wheel
+        # Utility script installs tox as defined in pyproject.toml
+        python -m install_requirement tox --extra dev --project-root $(printf -- "%q" "${{ github.workspace }}/core")
 
     - name: Get Packages
       uses: actions/[email protected]
       with:
-        pattern: ${{ needs.package.outputs.artifact-name }}-*
+        pattern: ${{ format('{0}-*', needs.package.outputs.artifact-basename) }}
         merge-multiple: true
+        path: dist
 
     - name: Test
       run: |
         # The $(ls ...) shell expansion is done in the Github environment;
         # the value of TOGA_INSTALL_COMMAND will be a literal string without any shell expansions to perform
-        TOGA_INSTALL_COMMAND="python -m pip install ../$(ls core/dist/toga_core-*.whl)[dev] ../$(ls dummy/dist/toga_dummy-*.whl)" \
+        TOGA_INSTALL_COMMAND="python -m pip install ../$(ls dist/toga_core-*.whl)[dev] ../$(ls dist/toga_dummy-*.whl)" \
           tox -e py-cov
+
         tox -qe coverage$(tr -dc "0-9" <<< "${{ matrix.python-version }}")
         mv core/.coverage core/.coverage.${{ matrix.platform }}.${{ matrix.python-version }}
 
@@ -138,18 +159,26 @@ jobs:
       with:
         fetch-depth: 0
 
+    - name: Checkout beeware/.github
+      uses: actions/[email protected]
+      with:
+        repository: beeware/.github
+        path: .github-beeware
+
     - name: Set up Python ${{ env.min_python_version }}
       uses: actions/[email protected]
       with:
         # Use minimum version of python for coverage to avoid phantom branches
         # https://github.com/nedbat/coveragepy/issues/1572#issuecomment-1522546425
         python-version: ${{ env.min_python_version }}
 
-    - name: Install dev dependencies
+    - name: Install Tox
+      working-directory: ./.github-beeware/scripts
       run: |
-        # We don't actually want to install toga-core;
-        # we just want the dev extras so we have a known version of coverage
-        python -m pip install ./core[dev]
+        python -m pip install --upgrade pip
+        python -m pip install --upgrade setuptools build wheel
+        # Utility script installs tox as defined in pyproject.toml
+        python -m install_requirement tox --extra dev --project-root $(printf -- "%q" "${{ github.workspace }}/core")
 
     - name: Retrieve Coverage Data
       uses: actions/[email protected]

.github/workflows/release.yml

@@ -8,6 +8,8 @@ on:
 jobs:
   ci:
     uses: ./.github/workflows/ci.yml
+    with:
+      attest-package: "true"
 
   docs:
     name: Verify Docs Build
@@ -24,28 +26,29 @@ jobs:
     permissions:
       contents: write
     steps:
-      - name: Set build variables
+      - name: Set Build Variables
         run: |
-          echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
+          echo "VERSION=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_ENV
 
-      - name: Get packages
+      - name: Get Packages
         uses: actions/[email protected]
         with:
-          pattern: ${{ needs.ci.outputs.artifact-name }}-*
+          pattern: ${{ format('{0}-*', needs.ci.outputs.artifact-basename) }}
           merge-multiple: true
+          path: dist
 
-      - name: Create release
+      - name: Create Release
         uses: ncipollo/[email protected]
         with:
           name: ${{ env.VERSION }}
           draft: true
-          artifacts: "*/dist/*"
+          artifacts: "dist/*"
           artifactErrorsFailBuild: true
 
   deploy-test:
     name: Publish to TestPyPI
     runs-on: ubuntu-latest
-    needs: [ci, release]
+    needs: [ ci, release ]
     permissions:
       # This permission is required for trusted publishing.
       id-token: write
@@ -68,16 +71,17 @@ jobs:
         - "toga_web"
         - "toga_winforms"
     steps:
-      - name: Get packages
+      - name: Get Packages
         uses: actions/[email protected]
         with:
-          pattern: ${{ needs.ci.outputs.artifact-name }}-*
+          pattern: ${{ format('{0}-*', needs.ci.outputs.artifact-basename) }}
           merge-multiple: true
+          path: staging_dist
 
       - name: Extract ${{ matrix.package }}
         run: |
           mkdir dist
-          mv */dist/$(echo ${{ matrix.package }} | sed 's/_/?/')-[0-9]* dist
+          mv staging_dist/$(echo ${{ matrix.package }} | sed 's/_/?/')-[0-9]* dist
 
       - name: Publish to TestPyPI
         uses: pypa/gh-action-pypi-publish@release/v1

changes/2604.misc.rst

@@ -0,0 +1 @@
+``hynek/build-and-inspect-python-package`` is now used to create the Python package.

demo/pyproject.toml

@@ -119,3 +119,7 @@ build_gradle_dependencies = [
     "com.google.android.material:material:1.11.0",
     "androidx.swiperefreshlayout:swiperefreshlayout:1.1.0",
 ]
+
+[tool.check-wheel-contents]
+# WOO2: duplicated files (i.e. resource images)
+ignore = "W002"

toga/pyproject.toml

@@ -81,3 +81,8 @@ dependencies = [
     # Web
     "toga-web == {version}; sys_platform=='emscripten'",
 ]
+
+[tool.check-wheel-contents]
+# WOO7: wheel library is empty
+# W008: wheel is empty
+ignore = "W007,W008"

tox.ini

@@ -112,7 +112,9 @@ skip_install = True
 passenv = FORCE_COLOR
 deps =
     build==1.2.1
+    check-wheel-contents==0.6.0
     twine==5.1.0
 commands =
     python -m build {posargs}
     python -m twine check {posargs}{/}dist{/}*
+    check-wheel-contents {posargs}{/}dist{/}