repro-lambda 0.2.1__tar.gz → 0.2.3__tar.gz

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/.github/workflows/build.yml

@@ -9,13 +9,26 @@ on:
         description: Path to lambdas.toml in the caller repo.
       repro_lambda_version:
         type: string
-        default: "0.2.1"
+        default: "0.2.3"
         description: Pinned repro-lambda PyPI version.
-    secrets:
       aws-dev-role-arn:
+        type: string
         required: true
+        description: ARN of the dev OIDC role assumed for artifact upload. Not a secret (the security boundary is the OIDC trust policy + bucket immutability), so callers pass it as a plain input.
       aws-prod-role-arn:
+        type: string
+        required: false
+        default: ""
+        description: ARN of the prod OIDC role (master push only). Empty string disables the prod upload steps.
+      dev-bucket:
+        type: string
+        required: true
+        description: S3 bucket name for dev Lambda artifacts (set as REPRO_LAMBDA_BUCKET on the dev upload). Caller-supplied so the reusable workflow stays consumer-agnostic.
+      prod-bucket:
+        type: string
         required: false
+        default: ""
+        description: S3 bucket name for prod Lambda artifacts (master push only).
 
 jobs:
   detect-arches:
@@ -58,30 +71,30 @@ jobs:
       - name: Configure AWS credentials (dev)
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.aws-dev-role-arn }}
+          role-to-assume: ${{ inputs.aws-dev-role-arn }}
           aws-region: eu-west-1
 
       - name: Build (dev bucket)
         env:
-          REPRO_LAMBDA_BUCKET: dev-ctf-lambda-artifacts
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}"
+          REPRO_LAMBDA_BUCKET: ${{ inputs.dev-bucket }}
+        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Verify reproducible (PR only)
         if: github.event_name == 'pull_request'
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --verify --dry-run
+        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}" --verify --dry-run
 
       - name: Configure AWS credentials (prod)
-        if: github.ref == 'refs/heads/master' && secrets.aws-prod-role-arn != ''
+        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.aws-prod-role-arn }}
+          role-to-assume: ${{ inputs.aws-prod-role-arn }}
           aws-region: eu-west-1
 
       - name: Build (prod bucket)
-        if: github.ref == 'refs/heads/master' && secrets.aws-prod-role-arn != ''
+        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
         env:
-          REPRO_LAMBDA_BUCKET: prod-ctf-lambda-artifacts
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}"
+          REPRO_LAMBDA_BUCKET: ${{ inputs.prod-bucket }}
+        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Commit catalog drift (master only, dev bot)
         if: github.ref == 'refs/heads/master'

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## v0.2.3 - 2026-06-20
+
+### Fixed
+- Python build container staged dependencies under `/build` (root-owned), which failed with `mkdir: Permission denied` when the container runs as a non-root `--user` (e.g. GitHub-hosted runners, uid 1001). Staging moved to `/tmp/build` (world-writable).
+
+### Added
+- `build --arch <arm64|x86_64>` filters the manifest to lambdas of that arch, so a per-arch CI matrix builds each arch natively on its own runner. This avoids cross-arch `docker run` (which fails without emulation, and emulated builds would break byte-reproducibility). The reusable `build.yml` passes `--arch ${{ matrix.arch }}`.
+
+## v0.2.2 - 2026-06-20
+
+### Changed
+- Reusable workflow `build.yml` now takes `aws-dev-role-arn` and `aws-prod-role-arn` as **inputs** instead of **secrets**. A role ARN is not sensitive (the security boundary is the OIDC trust policy plus the key-level bucket immutability policy), and typing it as a secret blocked callers from passing a derivable literal ARN, since secret inputs reject plain literal values. No package code change: PyPI 0.2.2 is behaviorally identical to 0.2.1.
+- Artifact bucket names are now `dev-bucket` / `prod-bucket` **inputs** instead of hardcoded values, so the reusable workflow is consumer-agnostic and carries no environment-specific bucket names.
+
+### Consumer migration
+- Bump the workflow ref to `uses: antonbabenko/repro-lambda/.github/workflows/build.yml@v0.2.2` and move `aws-dev-role-arn` / `aws-prod-role-arn` to the `with:` block, adding `dev-bucket` (and `prod-bucket` if you upload to prod). They are inputs now, so plain literals are valid:
+
+      with:
+        aws-dev-role-arn: arn:aws:iam::<account>:role/<role>
+        dev-bucket: <env>-my-lambda-artifacts
+
 ## v0.2.1 - 2026-05-27
 
 ### Changed

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: repro-lambda
-Version: 0.2.1
+Version: 0.2.3
 Summary: Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf.
 Project-URL: Homepage, https://github.com/antonbabenko/repro-lambda
 Project-URL: Repository, https://github.com/antonbabenko/repro-lambda

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "repro-lambda"
-version = "0.2.1"
+version = "0.2.3"
 description = "Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf."
 readme = "README.md"
 requires-python = ">=3.11"

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/src/repro_lambda/__init__.py

@@ -1,3 +1,3 @@
 """repro-lambda — reproducible AWS Lambda packaging outside Terraform."""
 
-__version__ = "0.2.1"
+__version__ = "0.2.3"

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/src/repro_lambda/cli.py

@@ -63,6 +63,12 @@ def build(
     verify: Annotated[bool, typer.Option("--verify")] = False,
     dry_run: Annotated[bool, typer.Option("--dry-run")] = False,
     allow_dirty: Annotated[bool, typer.Option("--allow-dirty")] = False,
+    arch: Annotated[
+        str,
+        typer.Option(
+            "--arch", help="Only build lambdas with this arch (e.g. arm64, x86_64). Empty = all."
+        ),
+    ] = "",
 ) -> None:
     """Build one lambda (or all) per manifest and upload to S3."""
     import json
@@ -84,6 +90,12 @@ def build(
         typer.echo(f"no lambda named {target!r} in {manifest}", err=True)
         raise typer.Exit(2)
 
+    if arch:
+        selected = [s for s in selected if s.arch == arch]
+        if not selected:
+            typer.echo(f"no lambdas with arch {arch!r} in {manifest}; nothing to build")
+            raise typer.Exit(0)
+
     if not dry_run and not bucket:
         typer.echo(
             "--bucket or REPRO_LAMBDA_BUCKET env var is required for non-dry-run",

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/src/repro_lambda/docker_runner.py

@@ -37,7 +37,7 @@ class DockerRunError(RuntimeError):
 
 _PYTHON_INSTALL_SCRIPT = r"""
 set -euxo pipefail
-PKG=/build/pkg
+PKG=/tmp/build/pkg
 mkdir -p "$PKG"
 cp -R /src/source/. "$PKG/"
 

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/tests/test_build_integration.py

@@ -61,12 +61,12 @@ def test_build_one_cache_hit_skips_docker_and_returns_existing_sha(
     with mock_aws():
         s3 = boto3.client("s3", region_name="eu-west-1")
         s3.create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
         sha = compute_sha_for(repo_root=git_repo_with_sample, spec=spec, builder=builder)
         s3.put_object(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             Key=f"lambdas/app/{sha}.zip",
             Body=b"existing",
         )
@@ -75,7 +75,7 @@ def test_build_one_cache_hit_skips_docker_and_returns_existing_sha(
             repo_root=git_repo_with_sample,
             spec=spec,
             builder=builder,
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=catalog,
             source_commit="deadbeef",
         )
@@ -99,7 +99,7 @@ def test_build_one_cache_miss_runs_docker_uploads_and_records(git_repo_with_samp
     with mock_aws():
         s3 = boto3.client("s3", region_name="eu-west-1")
         s3.create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
 
@@ -107,14 +107,14 @@ def test_build_one_cache_miss_runs_docker_uploads_and_records(git_repo_with_samp
             repo_root=git_repo_with_sample,
             spec=spec,
             builder=builder,
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=catalog,
             source_commit="deadbeef",
         )
 
         assert outcome.outcome == BuildResult.BUILT_AND_UPLOADED
         s3.head_object(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             Key=f"lambdas/app/{outcome.sha256}.zip",
         )
 
@@ -134,7 +134,7 @@ def test_build_one_dry_run_computes_hash_but_skips_upload(git_repo_with_sample:
         repo_root=git_repo_with_sample,
         spec=spec,
         builder=builder,
-        bucket="dev-ctf-lambda-artifacts",
+        bucket="dev-test-lambda-artifacts",
         catalog=catalog,
         source_commit="deadbeef",
         dry_run=True,

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/tests/test_build_nodejs.py

@@ -60,12 +60,12 @@ def test_build_one_nodejs_routes_to_build_nodejs_lambda(git_repo_with_nodejs_sam
 
     with mock_aws():
         s3 = boto3.client("s3", region_name="us-east-1")
-        s3.create_bucket(Bucket="dev-ctf-lambda-artifacts-us-east-1")
+        s3.create_bucket(Bucket="dev-test-lambda-artifacts-us-east-1")
         outcome = build_one(
             repo_root=git_repo_with_nodejs_sample,
             spec=_nodejs_spec(),
             builder=_nodejs_builder(),
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=Catalog(lambdas={}),
             source_commit="deadbeef",
         )
@@ -84,16 +84,16 @@ def test_build_one_lambda_at_edge_uses_us_east_1_bucket(git_repo_with_nodejs_sam
     )
     with mock_aws():
         s3 = boto3.client("s3", region_name="us-east-1")
-        s3.create_bucket(Bucket="dev-ctf-lambda-artifacts-us-east-1")
+        s3.create_bucket(Bucket="dev-test-lambda-artifacts-us-east-1")
         outcome = build_one(
             repo_root=git_repo_with_nodejs_sample,
             spec=_nodejs_spec(),
             builder=_nodejs_builder(),
-            bucket="dev-ctf-lambda-artifacts",
+            bucket="dev-test-lambda-artifacts",
             catalog=Catalog(lambdas={}),
             source_commit="deadbeef",
         )
         s3.head_object(
-            Bucket="dev-ctf-lambda-artifacts-us-east-1",
+            Bucket="dev-test-lambda-artifacts-us-east-1",
             Key=f"lambdas/edge/{outcome.sha256}.zip",
         )

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/tests/test_cli_build.py

@@ -70,13 +70,13 @@ def test_cli_build_emits_catalog_on_success(consumer_repo: Path, mocker):
     )
     with mock_aws():
         boto3.client("s3", region_name="eu-west-1").create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
         result = runner.invoke(
             app,
             ["build", "app", "--manifest", str(consumer_repo / "lambdas.toml")],
-            env={"REPRO_LAMBDA_BUCKET": "dev-ctf-lambda-artifacts"},
+            env={"REPRO_LAMBDA_BUCKET": "dev-test-lambda-artifacts"},
         )
     assert result.exit_code == 0, result.stdout
     catalog_path = consumer_repo / "builds" / "catalog.json"
@@ -109,3 +109,23 @@ def test_cli_build_allow_dirty_bypasses_guard(consumer_repo: Path, mocker):
         ],
     )
     assert result.exit_code == 0, result.stdout
+
+
+def test_cli_build_arch_filter_skips_nonmatching(consumer_repo: Path, mocker):
+    mock_docker = mocker.patch("repro_lambda.build.build_python_lambda")
+    result = runner.invoke(
+        app,
+        [
+            "build",
+            "app",
+            "--manifest",
+            str(consumer_repo / "lambdas.toml"),
+            "--arch",
+            "x86_64",
+            "--dry-run",
+        ],
+    )
+    # consumer_repo's only lambda 'app' is arm64; an x86_64 filter -> nothing to build.
+    assert result.exit_code == 0, result.stdout
+    assert "nothing to build" in result.stdout
+    mock_docker.assert_not_called()

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/tests/test_cli_smoke.py

@@ -1,5 +1,6 @@
 from typer.testing import CliRunner
 
+from repro_lambda import __version__
 from repro_lambda.cli import app
 
 runner = CliRunner()
@@ -8,7 +9,7 @@ runner = CliRunner()
 def test_cli_version_shows_package_version():
     result = runner.invoke(app, ["--version"])
     assert result.exit_code == 0
-    assert "0.2.1" in result.stdout
+    assert __version__ in result.stdout
 
 
 def test_cli_build_subcommand_exists():

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/tests/test_s3_uploader.py

@@ -12,10 +12,10 @@ def bucket():
     with mock_aws():
         s3 = boto3.client("s3", region_name="eu-west-1")
         s3.create_bucket(
-            Bucket="dev-ctf-lambda-artifacts",
+            Bucket="dev-test-lambda-artifacts",
             CreateBucketConfiguration={"LocationConstraint": "eu-west-1"},
         )
-        yield "dev-ctf-lambda-artifacts"
+        yield "dev-test-lambda-artifacts"
 
 
 def _make_zip(tmp_path: Path, content: bytes = b"PK\x05\x06" + b"\x00" * 18) -> Path:

{repro_lambda-0.2.1 → repro_lambda-0.2.3}/uv.lock

@@ -646,7 +646,7 @@ wheels = [
 
 [[package]]
 name = "repro-lambda"
-version = "0.2.1"
+version = "0.2.3"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },