repro-lambda 0.2.2__tar.gz → 0.2.4__tar.gz

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/.github/workflows/build.yml

@@ -9,7 +9,7 @@ on:
         description: Path to lambdas.toml in the caller repo.
       repro_lambda_version:
         type: string
-        default: "0.2.2"
+        default: "0.2.4"
         description: Pinned repro-lambda PyPI version.
       aws-dev-role-arn:
         type: string
@@ -77,11 +77,11 @@ jobs:
       - name: Build (dev bucket)
         env:
           REPRO_LAMBDA_BUCKET: ${{ inputs.dev-bucket }}
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}"
+        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Verify reproducible (PR only)
         if: github.event_name == 'pull_request'
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --verify --dry-run
+        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}" --verify --dry-run
 
       - name: Configure AWS credentials (prod)
         if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
@@ -94,7 +94,7 @@ jobs:
         if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
         env:
           REPRO_LAMBDA_BUCKET: ${{ inputs.prod-bucket }}
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}"
+        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Commit catalog drift (master only, dev bot)
         if: github.ref == 'refs/heads/master'

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## v0.2.4 - 2026-06-20
+
+### Fixed
+- Container build no longer shells out to `find`/`xargs` (both absent from the minimal AWS Lambda base images, which caused `find: command not found`). The post-install cleanup (Python caches + non-deterministic `*.dist-info` metadata: RECORD, INSTALLER, direct_url.json, REQUESTED) now happens in the Python zip step via exclude globs, producing the same artifact bytes.
+
+## v0.2.3 - 2026-06-20
+
+### Fixed
+- Python build container staged dependencies under `/build` (root-owned), which failed with `mkdir: Permission denied` when the container runs as a non-root `--user` (e.g. GitHub-hosted runners, uid 1001). Staging moved to `/tmp/build` (world-writable).
+
+### Added
+- `build --arch <arm64|x86_64>` filters the manifest to lambdas of that arch, so a per-arch CI matrix builds each arch natively on its own runner. This avoids cross-arch `docker run` (which fails without emulation, and emulated builds would break byte-reproducibility). The reusable `build.yml` passes `--arch ${{ matrix.arch }}`.
+
 ## v0.2.2 - 2026-06-20
 
 ### Changed

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: repro-lambda
-Version: 0.2.2
+Version: 0.2.4
 Summary: Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf.
 Project-URL: Homepage, https://github.com/antonbabenko/repro-lambda
 Project-URL: Repository, https://github.com/antonbabenko/repro-lambda

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "repro-lambda"
-version = "0.2.2"
+version = "0.2.4"
 description = "Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf."
 readme = "README.md"
 requires-python = ">=3.11"

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/src/repro_lambda/__init__.py

@@ -1,3 +1,3 @@
 """repro-lambda — reproducible AWS Lambda packaging outside Terraform."""
 
-__version__ = "0.2.2"
+__version__ = "0.2.4"

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/src/repro_lambda/cli.py

@@ -63,6 +63,12 @@ def build(
     verify: Annotated[bool, typer.Option("--verify")] = False,
     dry_run: Annotated[bool, typer.Option("--dry-run")] = False,
     allow_dirty: Annotated[bool, typer.Option("--allow-dirty")] = False,
+    arch: Annotated[
+        str,
+        typer.Option(
+            "--arch", help="Only build lambdas with this arch (e.g. arm64, x86_64). Empty = all."
+        ),
+    ] = "",
 ) -> None:
     """Build one lambda (or all) per manifest and upload to S3."""
     import json
@@ -84,6 +90,12 @@ def build(
         typer.echo(f"no lambda named {target!r} in {manifest}", err=True)
         raise typer.Exit(2)
 
+    if arch:
+        selected = [s for s in selected if s.arch == arch]
+        if not selected:
+            typer.echo(f"no lambdas with arch {arch!r} in {manifest}; nothing to build")
+            raise typer.Exit(0)
+
     if not dry_run and not bucket:
         typer.echo(
             "--bucket or REPRO_LAMBDA_BUCKET env var is required for non-dry-run",
@@ -208,11 +220,24 @@ def init() -> None:
     raise typer.Exit(0)
 
 
+# Stripped from every lambda zip so the container build needs no findutils/xargs
+# (absent from minimal Lambda base images): Python caches and the non-deterministic
+# dist-info metadata files pip writes (RECORD, INSTALLER, direct_url.json, REQUESTED).
+_LAMBDA_ZIP_EXCLUDES = [
+    "*__pycache__*",
+    "*.pyc",
+    "*.dist-info/RECORD",
+    "*.dist-info/INSTALLER",
+    "*.dist-info/direct_url.json",
+    "*.dist-info/REQUESTED",
+]
+
+
 def _zip_impl(src: Path, out: Path) -> None:
     """Pack a directory into a deterministic zip (used inside container)."""
     from repro_lambda.zip_packager import pack_directory
 
-    pack_directory(src, out)
+    pack_directory(src, out, exclude_glob=_LAMBDA_ZIP_EXCLUDES)
 
 
 @app.command(name="zip")

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/src/repro_lambda/docker_runner.py

@@ -37,7 +37,7 @@ class DockerRunError(RuntimeError):
 
 _PYTHON_INSTALL_SCRIPT = r"""
 set -euxo pipefail
-PKG=/build/pkg
+PKG=/tmp/build/pkg
 mkdir -p "$PKG"
 cp -R /src/source/. "$PKG/"
 
@@ -50,15 +50,9 @@ pip install \
   --target "$PKG" \
   --requirement /src/requirements.lock
 
-# v0.1 byte-output cleanup: strip non-deterministic install metadata + caches.
-find "$PKG" -type d -name "__pycache__" -prune -exec sh -c 'for d; do rm -rf -- "$d"; done' _ {} +
-find "$PKG" -type f -name "*.pyc" -delete
-find "$PKG" -type d -name "*.dist-info" -exec sh -c '
-  for d; do
-    rm -f -- "$d/RECORD" "$d/INSTALLER" "$d/direct_url.json" "$d/REQUESTED"
-  done
-' _ {} +
-
+# Byte-output cleanup (caches + non-deterministic dist-info metadata) happens in the
+# Python zip step below, so this script needs no findutils/xargs (both absent from the
+# minimal AWS Lambda base images).
 python3 -m repro_lambda zip --src "$PKG" --out /out/lambda.zip
 """
 

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/tests/test_cli_build.py

@@ -109,3 +109,23 @@ def test_cli_build_allow_dirty_bypasses_guard(consumer_repo: Path, mocker):
         ],
     )
     assert result.exit_code == 0, result.stdout
+
+
+def test_cli_build_arch_filter_skips_nonmatching(consumer_repo: Path, mocker):
+    mock_docker = mocker.patch("repro_lambda.build.build_python_lambda")
+    result = runner.invoke(
+        app,
+        [
+            "build",
+            "app",
+            "--manifest",
+            str(consumer_repo / "lambdas.toml"),
+            "--arch",
+            "x86_64",
+            "--dry-run",
+        ],
+    )
+    # consumer_repo's only lambda 'app' is arm64; an x86_64 filter -> nothing to build.
+    assert result.exit_code == 0, result.stdout
+    assert "nothing to build" in result.stdout
+    mock_docker.assert_not_called()

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/tests/test_cli_smoke.py

@@ -1,5 +1,6 @@
 from typer.testing import CliRunner
 
+from repro_lambda import __version__
 from repro_lambda.cli import app
 
 runner = CliRunner()
@@ -8,7 +9,7 @@ runner = CliRunner()
 def test_cli_version_shows_package_version():
     result = runner.invoke(app, ["--version"])
     assert result.exit_code == 0
-    assert "0.2.1" in result.stdout
+    assert __version__ in result.stdout
 
 
 def test_cli_build_subcommand_exists():

repro_lambda-0.2.4/tests/test_zip_excludes.py

@@ -0,0 +1,38 @@
+from pathlib import Path
+from zipfile import ZipFile
+
+from typer.testing import CliRunner
+
+from repro_lambda.cli import app
+
+runner = CliRunner()
+
+
+def test_zip_excludes_caches_and_dist_info_metadata(tmp_path: Path):
+    """`repro-lambda zip` strips caches + non-deterministic dist-info metadata,
+    so the container build needs no find/xargs (absent from minimal base images)."""
+    pkg = tmp_path / "pkg"
+    (pkg / "mymod").mkdir(parents=True)
+    (pkg / "mymod" / "__init__.py").write_text("x = 1\n")
+    (pkg / "mymod" / "__pycache__").mkdir()
+    (pkg / "mymod" / "__pycache__" / "__init__.cpython-313.pyc").write_bytes(b"\x00")
+    (pkg / "mymod" / "stale.pyc").write_bytes(b"\x00")
+    dist = pkg / "req-1.0.dist-info"
+    dist.mkdir()
+    (dist / "RECORD").write_text("mymod/__init__.py,,\n")
+    (dist / "INSTALLER").write_text("pip\n")
+    (dist / "METADATA").write_text("Name: req\n")
+
+    out = tmp_path / "lambda.zip"
+    result = runner.invoke(app, ["zip", "--src", str(pkg), "--out", str(out)])
+    assert result.exit_code == 0, result.stdout
+
+    names = ZipFile(out).namelist()
+    # kept: real code + stable dist-info metadata
+    assert "mymod/__init__.py" in names
+    assert "req-1.0.dist-info/METADATA" in names
+    # stripped: caches + non-deterministic metadata
+    assert not any("__pycache__" in n for n in names)
+    assert not any(n.endswith(".pyc") for n in names)
+    assert "req-1.0.dist-info/RECORD" not in names
+    assert "req-1.0.dist-info/INSTALLER" not in names

{repro_lambda-0.2.2 → repro_lambda-0.2.4}/uv.lock

@@ -646,7 +646,7 @@ wheels = [
 
 [[package]]
 name = "repro-lambda"
-version = "0.2.2"
+version = "0.2.4"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },