build: add workaround to auto-update build system

Dependabot does not support `build-system.requires`. To get reproducibility and auto-updates, we pin the version in a regular requirements file and use it as constraint during build. requirements-build.txt is used as constraint file elsewhere now too. h/t @jku
lukpueh · Dec 13, 2023 · 1280db8 · 1280db8
1 parent 44e0bb6
commit 1280db8
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -29,10 +29,10 @@ jobs:
           python-version: '3.x'
 
       - name: Install build dependency
-        run: python3 -m pip install -r requirements-build.txt
+        run: python3 -m pip install --constraint requirements-build.txt build
 
       - name: Build binary wheel and source tarball
-        run: python3 -m build --sdist --wheel --outdir dist/ .
+        run: PIP_CONSTRAINT=requirements-build.txt python3 -m build --sdist --wheel --outdir dist/ .
 
       - name: Store build artifacts
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,8 @@
 [build-system]
-# Version needs manual updates (dependabot/dependabot-core#8465)
-requires = ["hatchling==1.20.0"]
+# Dependabot cannot do `build-system.requires` (dependabot/dependabot-core#8465)
+# workaround to get reproducibility and auto-updates:
+#   PIP_CONSTRAINT=requirements/build.txt python3 -m build ...
+requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [project]

diff --git a/requirements-build.txt b/requirements-build.txt
@@ -1 +1,2 @@
 build==1.0.3
+hatchling==1.20.0