repro-lambda 0.2.1__tar.gz → 0.2.2__tar.gz

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/.github/workflows/build.yml

@@ -9,13 +9,26 @@ on:
         description: Path to lambdas.toml in the caller repo.
       repro_lambda_version:
         type: string
-        default: "0.2.1"
+        default: "0.2.2"
         description: Pinned repro-lambda PyPI version.
-    secrets:
       aws-dev-role-arn:
+        type: string
         required: true
+        description: ARN of the dev OIDC role assumed for artifact upload. Not a secret (the security boundary is the OIDC trust policy + bucket immutability), so callers pass it as a plain input.
       aws-prod-role-arn:
+        type: string
+        required: false
+        default: ""
+        description: ARN of the prod OIDC role (master push only). Empty string disables the prod upload steps.
+      dev-bucket:
+        type: string
+        required: true
+        description: S3 bucket name for dev Lambda artifacts (set as REPRO_LAMBDA_BUCKET on the dev upload). Caller-supplied so the reusable workflow stays consumer-agnostic.
+      prod-bucket:
+        type: string
         required: false
+        default: ""
+        description: S3 bucket name for prod Lambda artifacts (master push only).
 
 jobs:
   detect-arches:
@@ -58,12 +71,12 @@ jobs:
       - name: Configure AWS credentials (dev)
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.aws-dev-role-arn }}
+          role-to-assume: ${{ inputs.aws-dev-role-arn }}
           aws-region: eu-west-1
 
       - name: Build (dev bucket)
         env:
-          REPRO_LAMBDA_BUCKET: dev-ctf-lambda-artifacts
+          REPRO_LAMBDA_BUCKET: ${{ inputs.dev-bucket }}
         run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}"
 
       - name: Verify reproducible (PR only)
@@ -71,16 +84,16 @@ jobs:
         run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --verify --dry-run
 
       - name: Configure AWS credentials (prod)
-        if: github.ref == 'refs/heads/master' && secrets.aws-prod-role-arn != ''
+        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.aws-prod-role-arn }}
+          role-to-assume: ${{ inputs.aws-prod-role-arn }}
           aws-region: eu-west-1
 
       - name: Build (prod bucket)
-        if: github.ref == 'refs/heads/master' && secrets.aws-prod-role-arn != ''
+        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
         env:
-          REPRO_LAMBDA_BUCKET: prod-ctf-lambda-artifacts
+          REPRO_LAMBDA_BUCKET: ${{ inputs.prod-bucket }}
         run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}"
 
       - name: Commit catalog drift (master only, dev bot)

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## v0.2.2 - 2026-06-20
+
+### Changed
+- Reusable workflow `build.yml` now takes `aws-dev-role-arn` and `aws-prod-role-arn` as **inputs** instead of **secrets**. A role ARN is not sensitive (the security boundary is the OIDC trust policy plus the key-level bucket immutability policy), and typing it as a secret blocked callers from passing a derivable literal ARN, since secret inputs reject plain literal values. No package code change: PyPI 0.2.2 is behaviorally identical to 0.2.1.
+- Artifact bucket names are now `dev-bucket` / `prod-bucket` **inputs** instead of hardcoded values, so the reusable workflow is consumer-agnostic and carries no environment-specific bucket names.
+
+### Consumer migration
+- Bump the workflow ref to `uses: antonbabenko/repro-lambda/.github/workflows/build.yml@v0.2.2` and move `aws-dev-role-arn` / `aws-prod-role-arn` to the `with:` block, adding `dev-bucket` (and `prod-bucket` if you upload to prod). They are inputs now, so plain literals are valid:
+
+      with:
+        aws-dev-role-arn: arn:aws:iam::<account>:role/<role>
+        dev-bucket: <env>-my-lambda-artifacts
+
 ## v0.2.1 - 2026-05-27
 
 ### Changed

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: repro-lambda
-Version: 0.2.1
+Version: 0.2.2
 Summary: Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf.
 Project-URL: Homepage, https://github.com/antonbabenko/repro-lambda
 Project-URL: Repository, https://github.com/antonbabenko/repro-lambda

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "repro-lambda"
-version = "0.2.1"
+version = "0.2.2"
 description = "Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf."
 readme = "README.md"
 requires-python = ">=3.11"

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/src/repro_lambda/__init__.py

@@ -1,3 +1,3 @@
 """repro-lambda — reproducible AWS Lambda packaging outside Terraform."""
 
-__version__ = "0.2.1"
+__version__ = "0.2.2"

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/tests/test_build_integration.py

@@ -61,12 +61,12 @@ def test_build_one_cache_hit_skips_docker_and_returns_existing_sha(
     with mock_aws():
         s3 = boto3.client("s3", region_name="eu-west-1")
         s3.create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
         sha = compute_sha_for(repo_root=git_repo_with_sample, spec=spec, builder=builder)
         s3.put_object(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             Key=f"lambdas/app/{sha}.zip",
             Body=b"existing",
         )
@@ -75,7 +75,7 @@ def test_build_one_cache_hit_skips_docker_and_returns_existing_sha(
             repo_root=git_repo_with_sample,
             spec=spec,
             builder=builder,
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=catalog,
             source_commit="deadbeef",
         )
@@ -99,7 +99,7 @@ def test_build_one_cache_miss_runs_docker_uploads_and_records(git_repo_with_samp
     with mock_aws():
         s3 = boto3.client("s3", region_name="eu-west-1")
         s3.create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
 
@@ -107,14 +107,14 @@ def test_build_one_cache_miss_runs_docker_uploads_and_records(git_repo_with_samp
             repo_root=git_repo_with_sample,
             spec=spec,
             builder=builder,
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=catalog,
             source_commit="deadbeef",
         )
 
         assert outcome.outcome == BuildResult.BUILT_AND_UPLOADED
         s3.head_object(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             Key=f"lambdas/app/{outcome.sha256}.zip",
         )
 
@@ -134,7 +134,7 @@ def test_build_one_dry_run_computes_hash_but_skips_upload(git_repo_with_sample:
         repo_root=git_repo_with_sample,
         spec=spec,
         builder=builder,
-        bucket="dev-ctf-lambda-artifacts",
+        bucket="dev-test-lambda-artifacts",
         catalog=catalog,
         source_commit="deadbeef",
         dry_run=True,

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/tests/test_build_nodejs.py

@@ -60,12 +60,12 @@ def test_build_one_nodejs_routes_to_build_nodejs_lambda(git_repo_with_nodejs_sam
 
     with mock_aws():
         s3 = boto3.client("s3", region_name="us-east-1")
-        s3.create_bucket(Bucket="dev-ctf-lambda-artifacts-us-east-1")
+        s3.create_bucket(Bucket="dev-test-lambda-artifacts-us-east-1")
         outcome = build_one(
             repo_root=git_repo_with_nodejs_sample,
             spec=_nodejs_spec(),
             builder=_nodejs_builder(),
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=Catalog(lambdas={}),
             source_commit="deadbeef",
         )
@@ -84,16 +84,16 @@ def test_build_one_lambda_at_edge_uses_us_east_1_bucket(git_repo_with_nodejs_sam
     )
     with mock_aws():
         s3 = boto3.client("s3", region_name="us-east-1")
-        s3.create_bucket(Bucket="dev-ctf-lambda-artifacts-us-east-1")
+        s3.create_bucket(Bucket="dev-test-lambda-artifacts-us-east-1")
         outcome = build_one(
             repo_root=git_repo_with_nodejs_sample,
             spec=_nodejs_spec(),
             builder=_nodejs_builder(),
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=Catalog(lambdas={}),
             source_commit="deadbeef",
         )
         s3.head_object(
-            Bucket="dev-ctf-lambda-artifacts-us-east-1",
+            Bucket="dev-test-lambda-artifacts-us-east-1",
             Key=f"lambdas/edge/{outcome.sha256}.zip",
         )

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/tests/test_cli_build.py

@@ -70,13 +70,13 @@ def test_cli_build_emits_catalog_on_success(consumer_repo: Path, mocker):
     )
     with mock_aws():
         boto3.client("s3", region_name="eu-west-1").create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
         result = runner.invoke(
             app,
             ["build", "app", "--manifest", str(consumer_repo / "lambdas.toml")],
-            env={"REPRO_LAMBDA_BUCKET": "dev-ctf-lambda-artifacts"},
+            env={"REPRO_LAMBDA_BUCKET": "dev-test-lambda-artifacts"},
         )
     assert result.exit_code == 0, result.stdout
     catalog_path = consumer_repo / "builds" / "catalog.json"

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/tests/test_s3_uploader.py

@@ -12,10 +12,10 @@ def bucket():
     with mock_aws():
         s3 = boto3.client("s3", region_name="eu-west-1")
         s3.create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
-        yield "dev-ctf-lambda-artifacts"
+        yield "dev-test-lambda-artifacts"
 
 
 def _make_zip(tmp_path: Path, content: bytes = b"PK\x05\x06" + b"\x00" * 18) -> Path:

{repro_lambda-0.2.1 → repro_lambda-0.2.2}/uv.lock

@@ -646,7 +646,7 @@ wheels = [
 
 [[package]]
 name = "repro-lambda"
-version = "0.2.1"
+version = "0.2.2"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },