pygritlib 0.5.0__tar.gz

pygritlib-0.5.0/.github/scripts/check_release_inventory.py

@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+"""Validate the release artifact set before publishing to PyPI.
+
+Asserts that a ``dist/`` directory contains exactly the artifacts the release
+workflow is expected to produce: five CPython ``abi3`` wheels (one per target
+platform) and one sdist, every file carrying the same project version. Any
+deviation -- a missing or extra artifact, a version disagreement, a non-abi3
+wheel -- is a hard error, so a malformed upload set can never reach PyPI.
+
+Because each target platform yields a uniquely named wheel, "exactly 5 wheels"
+already implies five distinct platforms; there is no separate platform-tag
+check (the exact tag strings shift with runner images and would be brittle).
+
+Usage: ``python check_release_inventory.py <dist-dir>``
+"""
+
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+DIST_NAME = "pygritlib"
+# AIDEV-NOTE: EXPECTED_WHEELS must equal the number of build legs in the release
+# workflow's `build` matrix (.github/workflows/release.yml). Bump both together when
+# adding or removing a wheel target.
+EXPECTED_WHEELS = 5
+SDIST_SUFFIX = ".tar.gz"
+WHEEL_SUFFIX = ".whl"
+
+
+def check_inventory(dist_dir: Path) -> list[str]:
+    """Return a list of human-readable problems with ``dist_dir`` (empty == OK)."""
+    errors: list[str] = []
+    versions: set[str] = set()
+
+    sdists = sorted(dist_dir.glob(f"*{SDIST_SUFFIX}"))
+    if len(sdists) != 1:
+        names = [p.name for p in sdists]
+        errors.append(
+            f"expected exactly 1 sdist (*{SDIST_SUFFIX}), found {len(sdists)}: {names}"
+        )
+    for sdist in sdists:
+        stem = sdist.name[: -len(SDIST_SUFFIX)]
+        parts = stem.split("-")
+        if len(parts) != 2 or parts[0] != DIST_NAME:
+            errors.append(f"unexpected sdist filename: {sdist.name}")
+            continue
+        versions.add(parts[1])
+
+    wheels = sorted(dist_dir.glob(f"*{WHEEL_SUFFIX}"))
+    if len(wheels) != EXPECTED_WHEELS:
+        names = [p.name for p in wheels]
+        errors.append(
+            f"expected exactly {EXPECTED_WHEELS} wheels, found {len(wheels)}: {names}"
+        )
+    for wheel in wheels:
+        stem = wheel.name[: -len(WHEEL_SUFFIX)]
+        parts = stem.split("-")
+        # Expected: name-version-pythontag-abitag-platformtag (no build tag).
+        if len(parts) != 5 or parts[0] != DIST_NAME:
+            errors.append(f"unexpected wheel filename: {wheel.name}")
+            continue
+        _, version, python_tag, abi_tag, _platform = parts
+        versions.add(version)
+        # AIDEV-NOTE: cp311 is the project's minimum Python (abi3 floor); update this
+        # tag here when bumping requires-python in pyproject.toml / Cargo.toml abi3-py*.
+        if python_tag != "cp311" or abi_tag != "abi3":
+            errors.append(f"wheel is not cp311-abi3: {wheel.name}")
+
+    if len(versions) > 1:
+        errors.append(f"artifacts disagree on version: {sorted(versions)}")
+
+    return errors
+
+
+def main(argv: list[str]) -> int:
+    if len(argv) != 2:
+        print(f"usage: {argv[0]} <dist-dir>", file=sys.stderr)
+        return 2
+    dist_dir = Path(argv[1])
+    if not dist_dir.is_dir():
+        print(f"not a directory: {dist_dir}", file=sys.stderr)
+        return 2
+    errors = check_inventory(dist_dir)
+    if errors:
+        for err in errors:
+            print(f"::error::release inventory: {err}", file=sys.stderr)
+        return 1
+    print(f"release inventory OK: {EXPECTED_WHEELS} wheels + 1 sdist, single version")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main(sys.argv))

pygritlib-0.5.0/.github/scripts/test_check_release_inventory.py

@@ -0,0 +1,84 @@
+"""Tests for the release-inventory checker.
+
+Release tooling — intentionally outside ``tests/`` so the binding suite (run by
+CI's ``pytest tests/``) does not collect it.
+"""
+
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+
+from check_release_inventory import check_inventory  # noqa: E402
+
+
+def _touch(directory: Path, name: str) -> None:
+    (directory / name).write_bytes(b"")
+
+
+def _good_dist(directory: Path, version: str = "0.1.0") -> None:
+    _touch(directory, f"pygritlib-{version}.tar.gz")
+    _touch(
+        directory,
+        f"pygritlib-{version}-cp311-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
+    )
+    _touch(
+        directory,
+        f"pygritlib-{version}-cp311-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl",
+    )
+    _touch(directory, f"pygritlib-{version}-cp311-abi3-musllinux_1_2_x86_64.whl")
+    _touch(directory, f"pygritlib-{version}-cp311-abi3-musllinux_1_2_aarch64.whl")
+    _touch(directory, f"pygritlib-{version}-cp311-abi3-macosx_11_0_arm64.whl")
+
+
+def test_valid_inventory_passes(tmp_path: Path) -> None:
+    _good_dist(tmp_path)
+    assert check_inventory(tmp_path) == []
+
+
+def test_missing_sdist_fails(tmp_path: Path) -> None:
+    _good_dist(tmp_path)
+    (tmp_path / "pygritlib-0.1.0.tar.gz").unlink()
+    errors = check_inventory(tmp_path)
+    assert any("sdist" in e for e in errors), errors
+
+
+def test_extra_sdist_fails(tmp_path: Path) -> None:
+    _good_dist(tmp_path)
+    _touch(tmp_path, "pygritlib-0.1.0.zip.tar.gz")
+    errors = check_inventory(tmp_path)
+    assert any("sdist" in e for e in errors), errors
+
+
+def test_too_few_wheels_fails(tmp_path: Path) -> None:
+    _good_dist(tmp_path)
+    (tmp_path / "pygritlib-0.1.0-cp311-abi3-macosx_11_0_arm64.whl").unlink()
+    errors = check_inventory(tmp_path)
+    assert any("5 wheels" in e for e in errors), errors
+
+
+def test_too_many_wheels_fails(tmp_path: Path) -> None:
+    _good_dist(tmp_path)
+    # A 6th valid abi3 wheel (distinct platform, same version) — only the count check
+    # should fire, proving the gate rejects over-count as well as under-count.
+    _touch(tmp_path, "pygritlib-0.1.0-cp311-abi3-macosx_14_0_arm64.whl")
+    errors = check_inventory(tmp_path)
+    assert any("5 wheels" in e for e in errors), errors
+
+
+def test_non_abi3_wheel_fails(tmp_path: Path) -> None:
+    _good_dist(tmp_path)
+    (tmp_path / "pygritlib-0.1.0-cp311-abi3-macosx_11_0_arm64.whl").unlink()
+    _touch(tmp_path, "pygritlib-0.1.0-cp311-cp311-macosx_11_0_arm64.whl")
+    errors = check_inventory(tmp_path)
+    assert any("abi3" in e for e in errors), errors
+
+
+def test_version_mismatch_fails(tmp_path: Path) -> None:
+    _good_dist(tmp_path)
+    (tmp_path / "pygritlib-0.1.0-cp311-abi3-macosx_11_0_arm64.whl").unlink()
+    _touch(tmp_path, "pygritlib-0.2.0-cp311-abi3-macosx_11_0_arm64.whl")
+    errors = check_inventory(tmp_path)
+    assert any("version" in e for e in errors), errors

pygritlib-0.5.0/.github/workflows/ci.yml

@@ -0,0 +1,201 @@
+# CI for pygritlib (PyO3 + maturin abi3 bindings to grit-lib).
+#
+# Three jobs:
+#   lint         — cargo fmt/clippy + ruff format/check (fast gate).
+#   test         — build the extension and run pytest + mypy + stubtest on a
+#                  Python matrix (3.11 = the abi3 floor, 3.13 = current).
+#   build-wheels — build release abi3 wheels per target, verify the abi3 tag,
+#                  install the wheel into a clean venv and run the FULL suite +
+#                  stubtest against the INSTALLED package, build+install+smoke the
+#                  sdist (fail hard), and upload the artifacts.
+#
+# Conventions / choices (see also rust-toolchain.toml, pyproject.toml):
+#   * Rust toolchain is pinned to 1.94.1 to match rust-toolchain.toml. We pin
+#     dtolnay/rust-toolchain@1.94.1 directly: the `toolchain:` input is only
+#     honored by the @master ref, NOT by @stable, so the version goes in the ref.
+#   * All cargo/maturin builds use --locked (committed Cargo.lock) for
+#     reproducibility, matching the local `--locked` workflow.
+#   * setup-uv is pinned to a full version (@v8.2.0): astral-sh/setup-uv
+#     publishes only full vX.Y.Z tags, NOT a floating major tag, so `@v8` does
+#     not resolve. Bump this pin when updating uv. Dev deps live in
+#     [dependency-groups] (PEP 735), installed via `uv sync --group dev`.
+#   * build-wheels also installs setup-uv: the sdist step shells out to
+#     `uvx maturin sdist`, so uv must be on PATH (harmless on legs that skip it).
+#   * macOS (macos-14 arm64) is best-effort: grit-lib is
+#     Unix-oriented and the deps are pure-Rust, so it is expected to build, but
+#     fail-fast is disabled so a macOS hiccup does not mask Linux results.
+#   * Wheel coverage mirrors most of release.yml's grid: linux glibc x86_64/aarch64,
+#     linux musl x86_64 (Alpine import-smoke only), macOS arm64. The emulated
+#     musl-aarch64 leg is release-only (kept off per-PR CI to avoid a second slow QEMU
+#     build). macOS Intel (x86_64) is not built anywhere — see release.yml.
+#   * aarch64 Linux wheels cross-build inside maturin-action's manylinux
+#     container (manylinux: auto) via emulation — no extra QEMU step is needed
+#     for the build, but that leg does not run the installed-wheel test suite or
+#     the sdist compile (both would require emulating the foreign interpreter /
+#     toolchain); the native legs (linux x86_64, macОS) cover that.
+#   * The native legs install the built wheel into a CLEAN venv and run the real
+#     pytest suite + stubtest against the INSTALLED package — exercising the
+#     shipped wheel, not the source tree. The source `python/pygritlib` is kept off
+#     sys.path by running from a temp dir that contains only tests/ + conftest +
+#     the pyproject pytest config (pyproject's pythonpath=["."] then points at a
+#     dir with no source pygritlib, so the installed wheel is the only importable
+#     copy). These steps fail the job on any test failure.
+#   * The sdist is built, installed into a clean venv (which compiles from source
+#     via the pinned Rust toolchain), and import-smoked — no `|| true`, so a
+#     broken sdist fails the job.
+
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@1.94.1
+        with:
+          components: rustfmt, clippy
+      - uses: Swatinem/rust-cache@v2
+      - uses: astral-sh/setup-uv@v8.2.0
+      - run: uv sync --group dev
+      - run: cargo fmt --check
+      - run: cargo clippy --all-targets --locked -- -D warnings
+      - run: uv run ruff format --check .
+      - run: uv run ruff check .
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.11", "3.13"]
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@1.94.1
+        with:
+          components: rustfmt, clippy
+      - uses: Swatinem/rust-cache@v2
+      - uses: astral-sh/setup-uv@v8.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+      - run: uv sync --group dev
+      - run: uv run maturin develop --uv --locked
+      - run: uv run pytest tests/ -v
+      - run: uv run mypy python tests
+      - run: uv run python -m mypy.stubtest pygritlib
+
+  build-wheels:
+    name: build-wheels (${{ matrix.os }} ${{ matrix.target }} ${{ matrix.manylinux }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: x86_64
+            manylinux: auto
+            smoke: true
+          - os: ubuntu-latest
+            target: aarch64
+            manylinux: auto
+            smoke: false # cross-built under emulation; foreign interpreter not run here
+          - os: ubuntu-latest
+            target: x86_64
+            manylinux: musllinux_1_2
+            smoke: false
+            musl: true # import-smoke only in an Alpine container (native docker)
+          - os: macos-14
+            target: aarch64
+            manylinux: auto
+            smoke: true
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@1.94.1
+        with:
+          # Pre-install the rust-toolchain.toml components so a later host `cargo`/
+          # `maturin` call can't trigger a flaky lazy rustup re-add of clippy.
+          components: rustfmt, clippy
+      # The sdist step (x86_64 only) calls `uvx maturin sdist`; uv must be on
+      # PATH. Harmless on the legs that skip that step.
+      - uses: astral-sh/setup-uv@v8.2.0
+      - uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.target }}
+          args: --release --locked --out dist
+          # glibc legs use `auto` (newer glibc, fine for dev — release.yml pins 2014);
+          # the musl leg builds musllinux_1_2; macOS ignores this (Linux-only).
+          manylinux: ${{ matrix.manylinux }}
+          # AIDEV-NOTE: ring 0.17 (via grit-lib http-ureq -> rustls -> ring) ships pregenerated
+          # ARMv8 asm whose asm_base.h aborts with `#error "ARM assembler must define __ARM_ARCH"`
+          # under the manylinux glibc aarch64 cross-gcc, which doesn't predefine that macro for .S
+          # files. Force-define it for the glibc-aarch64 target only (the CFLAGS var is
+          # target-specific, so x86_64 / musl / macOS legs are untouched). Runs in the build
+          # container so the export reaches cargo's cc invocation.
+          before-script-linux: |
+            export CFLAGS_aarch64_unknown_linux_gnu="-D__ARM_ARCH=8"
+      - name: list wheels
+        run: ls -la dist
+      - name: verify abi3 tag
+        shell: bash
+        run: ls dist/*.whl | grep -q abi3 && echo "abi3 OK"
+      - name: test the INSTALLED wheel (clean venv, full suite + stubtest)
+        if: matrix.smoke
+        shell: bash
+        run: |
+          set -euxo pipefail
+          # Clean venv: only the built wheel + test deps. git is preinstalled on
+          # GitHub runners (the suite shells out to it via tests/conftest.py).
+          python3 -m venv /tmp/wheeltest
+          /tmp/wheeltest/bin/python -m pip install --upgrade pip
+          /tmp/wheeltest/bin/pip install dist/*.whl pytest mypy
+          # Stage ONLY tests/ + the pyproject pytest config in an empty dir, so the
+          # source `python/pygritlib` is NOT importable. pyproject's pythonpath=["."]
+          # then resolves to this dir (no source pygritlib), making the installed wheel
+          # the only `import pygritlib`.
+          workdir="$(mktemp -d)"
+          cp -r tests "$workdir/"
+          cp pyproject.toml "$workdir/"
+          cd "$workdir"
+          # Prove the import comes from the installed wheel, not a source tree.
+          /tmp/wheeltest/bin/python -c "import pygritlib, os; p = os.path.dirname(pygritlib.__file__); print('pygritlib from:', p); assert 'site-packages' in p, p"
+          /tmp/wheeltest/bin/python -m pytest tests/ -q
+          /tmp/wheeltest/bin/python -m mypy.stubtest pygritlib
+      - name: import-smoke the musl wheel (Alpine container)
+        if: matrix.musl
+        shell: bash
+        run: |
+          set -euxo pipefail
+          # The full pytest+stubtest suite runs on glibc x86_64 + both macOS legs; this
+          # leg just proves the wheel loads and links against musl libc. Native docker
+          # (x86_64 host) — no QEMU.
+          shopt -s nullglob
+          wheel=(dist/*-cp311-abi3-*.whl)
+          if [[ ${#wheel[@]} -ne 1 ]]; then
+            echo "::error::expected exactly one *-cp311-abi3-*.whl, found ${#wheel[@]}: ${wheel[*]:-<none>}"
+            ls -la dist || true
+            exit 1
+          fi
+          docker run --rm -v "$PWD/dist:/dist:ro" python:3.11-alpine \
+            sh -c "pip install /dist/${wheel[0]##*/} && python -c 'import pygritlib; pygritlib.Repository'"
+      - name: build + install + smoke the sdist (fail hard)
+        # glibc x86_64 leg only — the musl x86_64 leg also matches os+target.
+        if: matrix.os == 'ubuntu-latest' && matrix.target == 'x86_64' && matrix.manylinux == 'auto'
+        shell: bash
+        run: |
+          set -euxo pipefail
+          # Build the sdist into dist/ (no `|| true` — a failure must fail the job).
+          uvx maturin sdist --out dist
+          # Install the sdist into a clean venv: this COMPILES from source, using
+          # the Rust toolchain set up for this job.
+          python3 -m venv /tmp/sdisttest
+          /tmp/sdisttest/bin/python -m pip install --upgrade pip
+          /tmp/sdisttest/bin/pip install dist/pygritlib-*.tar.gz
+          /tmp/sdisttest/bin/python -c "import pygritlib; pygritlib.Repository"
+      - uses: actions/upload-artifact@v7
+        with:
+          name: wheels-${{ matrix.os }}-${{ matrix.target }}-${{ matrix.manylinux }}
+          path: dist

pygritlib-0.5.0/.github/workflows/release.yml

@@ -0,0 +1,297 @@
+# Trusted-publishing release pipeline for pygritlib (PyO3 + maturin abi3 bindings).
+#
+# Separate from ci.yml so the OIDC `id-token: write` permission never lives in the
+# everyday push/PR workflow. Flow:
+#   version-guard  — (release only) tag must be vX.Y.Z and equal the crate version.
+#   build          — 5 targets (linux glibc x86_64/aarch64, linux musl x86_64/aarch64,
+#                    macOS arm64): build the abi3 wheel, assert exactly one cp311-abi3
+#                    wheel, import-smoke it (native on glibc-x86_64 + macOS; container on
+#                    the glibc-aarch64 + musl-x86_64/aarch64 legs, arm64 via QEMU),
+#                    upload. (No macOS Intel: GitHub's macos-13 runners are deprecated.)
+#   sdist          — build the sdist with the locked maturin, source-compile +
+#                    import-smoke it, upload.
+#   publish-pypi   — (release) provenance + inventory gate, then OIDC publish to PyPI.
+#   publish-testpypi (workflow_dispatch) — same gate, OIDC publish to TestPyPI.
+#
+# Conventions (match ci.yml): pinned Rust 1.94.1, --locked builds, setup-uv@v8.2.0
+# (no floating major exists), checkout@v6 / upload-artifact@v7 / download-artifact@v7
+# (node24, v4+ backend). Only the publish action is commit-SHA-pinned (it handles
+# the OIDC credential / upload); other actions follow ci.yml's floating-major style.
+
+name: Release
+
+on:
+  release:
+    types: [published]      # -> real PyPI
+  workflow_dispatch: {}     # -> TestPyPI dry-run
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release-${{ github.event.release.tag_name || github.ref }}
+  cancel-in-progress: false   # never cancel a partially-completed publish
+
+jobs:
+  version-guard:
+    name: version guard
+    runs-on: ubuntu-latest
+    if: github.event_name == 'release'
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@1.94.1
+        with:
+          # Pre-install rust-toolchain.toml's components: the cargo-metadata call
+          # below would otherwise trigger a flaky lazy rustup re-add of clippy
+          # (conflict on bin/cargo-clippy) and block the release.
+          components: rustfmt, clippy
+      - name: Assert tag matches crate version
+        shell: bash
+        run: |
+          set -euo pipefail
+          tag="${{ github.event.release.tag_name }}"
+          # v1 policy: final releases only, vX.Y.Z (no PEP 440 prereleases — see spec).
+          if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::Release tag '$tag' is not of the form vX.Y.Z (final releases only)."
+            exit 1
+          fi
+          tag_version="${tag#v}"
+          crate_version="$(cargo metadata --locked --format-version=1 \
+            | python3 -c "import json,sys; print([p['version'] for p in json.load(sys.stdin)['packages'] if p['name']=='pygritlib'][0])")"
+          echo "tag=$tag_version crate=$crate_version"
+          if [[ "$tag_version" != "$crate_version" ]]; then
+            echo "::error::Tag version ($tag_version) != crate version ($crate_version). Bump Cargo.toml AND Cargo.lock."
+            exit 1
+          fi
+          echo "version-guard OK: $tag_version"
+
+  build:
+    name: build (${{ matrix.os }} ${{ matrix.target }} ${{ matrix.manylinux }})
+    needs: [version-guard]
+    # version-guard is skipped on workflow_dispatch (its own `if`); allow build to
+    # run when the guard either succeeded (release) or was skipped (dispatch), but
+    # not when it actually failed.
+    if: always() && (needs.version-guard.result == 'success' || needs.version-guard.result == 'skipped')
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Linux glibc (manylinux_2_17 via "2014") — native + emulated-arm64 smoke.
+          - os: ubuntu-latest
+            target: x86_64
+            manylinux: "2014"
+            smoke: native
+          - os: ubuntu-latest
+            target: aarch64
+            manylinux: "2014"
+            smoke: container
+            image: python:3.11-slim
+            platform: linux/arm64
+          # Linux musl (musllinux_1_2) — Alpine container smoke (arm64 via QEMU).
+          - os: ubuntu-latest
+            target: x86_64
+            manylinux: musllinux_1_2
+            smoke: container
+            image: python:3.11-alpine
+            platform: linux/amd64
+          - os: ubuntu-latest
+            target: aarch64
+            manylinux: musllinux_1_2
+            smoke: container
+            image: python:3.11-alpine
+            platform: linux/arm64
+          # macOS — native smoke. `manylinux: auto` is a no-op here (Linux-only); it is
+          # set only so every leg defines it (unique artifact names; no empty input).
+          # (Intel x86_64 is NOT built: GitHub's macos-13 Intel runners are deprecated
+          # and queue unreliably — Intel Macs install from the sdist instead.)
+          - os: macos-14
+            target: aarch64
+            manylinux: auto
+            smoke: native
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@1.94.1
+        with:
+          components: rustfmt, clippy
+      - uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.target }}
+          args: --release --locked --out dist
+          # glibc legs pin manylinux_2_17 ("2014") for the broadest-compatible tag on
+          # RELEASED wheels; musl legs build musllinux_1_2; macOS passes `auto` (no-op).
+          # ci.yml uses `auto` for glibc (newer glibc, fine for dev — intentional
+          # divergence). Ignored on macOS (manylinux is Linux-only).
+          manylinux: ${{ matrix.manylinux }}
+          # AIDEV-NOTE: ring 0.17 (via grit-lib http-ureq -> rustls -> ring) ships pregenerated
+          # ARMv8 asm whose asm_base.h aborts with `#error "ARM assembler must define __ARM_ARCH"`
+          # under the manylinux glibc aarch64 cross-gcc, which doesn't predefine that macro for .S
+          # files. Force-define it for the glibc-aarch64 target only (the CFLAGS var is
+          # target-specific, so x86_64 / musl / macOS legs are untouched). Runs in the build
+          # container so the export reaches cargo's cc invocation.
+          before-script-linux: |
+            export CFLAGS_aarch64_unknown_linux_gnu="-D__ARM_ARCH=8"
+      - name: Verify exactly one cp311-abi3 wheel
+        shell: bash
+        run: |
+          set -euo pipefail
+          shopt -s nullglob
+          wheels=(dist/*-cp311-abi3-*.whl)
+          if [[ ${#wheels[@]} -ne 1 ]]; then
+            echo "::error::expected exactly one *-cp311-abi3-*.whl, found ${#wheels[@]}: ${wheels[*]:-<none>}"
+            ls -la dist || true
+            exit 1
+          fi
+          echo "abi3 wheel OK: ${wheels[0]}"
+      - name: Set up Python 3.11 for native smoke
+        if: matrix.smoke == 'native'
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Import smoke (native, Python 3.11)
+        if: matrix.smoke == 'native'
+        shell: bash
+        run: |
+          set -euxo pipefail
+          python -m venv /tmp/smoke
+          /tmp/smoke/bin/python -m pip install --upgrade pip
+          /tmp/smoke/bin/pip install dist/*-cp311-abi3-*.whl
+          /tmp/smoke/bin/python -c "import pygritlib; pygritlib.Repository"
+          /tmp/smoke/bin/python -c "import pygritlib, os; p=os.path.dirname(pygritlib.__file__); assert 'site-packages' in p, p; print('imported from', p)"
+      - name: Set up QEMU for emulated arm64 smoke
+        if: matrix.smoke == 'container' && matrix.platform == 'linux/arm64'
+        uses: docker/setup-qemu-action@v3
+      - name: Import smoke (container)
+        if: matrix.smoke == 'container'
+        shell: bash
+        run: |
+          set -euxo pipefail
+          # One step for all container legs: glibc-arm64 (slim) + musl x86_64/arm64
+          # (alpine). `sh -c` works in both slim (dash) and alpine (busybox sh).
+          shopt -s nullglob
+          wheel=(dist/*-cp311-abi3-*.whl)
+          docker run --rm --platform ${{ matrix.platform }} \
+            -v "$PWD/dist:/dist:ro" ${{ matrix.image }} \
+            sh -c "pip install /dist/${wheel[0]##*/} && python -c 'import pygritlib; pygritlib.Repository'"
+      - uses: actions/upload-artifact@v7
+        with:
+          name: wheels-${{ matrix.os }}-${{ matrix.target }}-${{ matrix.manylinux }}
+          path: dist
+          if-no-files-found: error
+
+  sdist:
+    name: sdist
+    needs: [version-guard]
+    if: always() && (needs.version-guard.result == 'success' || needs.version-guard.result == 'skipped')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@1.94.1
+        with:
+          components: rustfmt, clippy
+      - uses: astral-sh/setup-uv@v8.2.0
+      - run: uv sync --group dev
+      # `uv run maturin` uses the maturin pinned in uv.lock (reproducible release
+      # builds), NOT a floating `uvx maturin` as in ci.yml's smoke step — deliberate.
+      - name: Build sdist (locked maturin)
+        run: uv run maturin sdist --out dist
+      - name: Source-compile + import-smoke the sdist
+        shell: bash
+        run: |
+          set -euxo pipefail
+          python3 -m venv /tmp/sdisttest
+          /tmp/sdisttest/bin/python -m pip install --upgrade pip
+          /tmp/sdisttest/bin/pip install dist/pygritlib-*.tar.gz
+          /tmp/sdisttest/bin/python -c "import pygritlib; pygritlib.Repository"
+      - uses: actions/upload-artifact@v7
+        with:
+          name: sdist
+          path: dist
+          if-no-files-found: error
+
+  publish-pypi:
+    name: publish to PyPI
+    needs: [build, sdist]
+    if: github.event_name == 'release'
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Provenance — built commit must be an ancestor of origin/main
+        shell: bash
+        run: |
+          set -euo pipefail
+          # This repo's default branch is `main`; update both publish jobs if renamed.
+          git fetch --no-tags origin main
+          if ! git merge-base --is-ancestor "$GITHUB_SHA" origin/main; then
+            echo "::error::commit $GITHUB_SHA is not an ancestor of origin/main; refusing to publish."
+            exit 1
+          fi
+          echo "provenance OK: $GITHUB_SHA is on origin/main"
+      - uses: actions/download-artifact@v7
+        with:
+          pattern: "*"
+          merge-multiple: true
+          path: dist
+      - name: Inventory — exactly 5 wheels + 1 sdist, single version
+        shell: bash
+        run: |
+          set -euo pipefail
+          ls -la dist
+          python3 .github/scripts/check_release_inventory.py dist
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
+        with:
+          packages-dir: dist
+
+  publish-testpypi:
+    name: publish to TestPyPI
+    needs: [build, sdist]
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    environment: testpypi
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Provenance — built commit must be an ancestor of origin/main
+        shell: bash
+        run: |
+          set -euo pipefail
+          # This repo's default branch is `main`; update both publish jobs if renamed.
+          git fetch --no-tags origin main
+          if ! git merge-base --is-ancestor "$GITHUB_SHA" origin/main; then
+            echo "::error::commit $GITHUB_SHA is not an ancestor of origin/main; refusing to publish."
+            exit 1
+          fi
+          echo "provenance OK: $GITHUB_SHA is on origin/main"
+      - uses: actions/download-artifact@v7
+        with:
+          pattern: "*"
+          merge-multiple: true
+          path: dist
+      - name: Inventory — exactly 5 wheels + 1 sdist, single version
+        shell: bash
+        run: |
+          set -euo pipefail
+          ls -la dist
+          python3 .github/scripts/check_release_inventory.py dist
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # v1.14.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          packages-dir: dist

pygritlib-0.5.0/.gitignore

@@ -0,0 +1,11 @@
+/target
+/.venv
+__pycache__/
+*.pyc
+*.so
+/dist
+/build
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+*.egg-info/