repro-lambda 0.2.3__tar.gz → 0.3.0__tar.gz

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/.github/workflows/build.yml

@@ -7,24 +7,20 @@ on:
         type: string
         default: lambdas.toml
         description: Path to lambdas.toml in the caller repo.
-      repro_lambda_version:
-        type: string
-        default: "0.2.3"
-        description: Pinned repro-lambda PyPI version.
-      aws-dev-role-arn:
+      aws_dev_role_arn:
         type: string
         required: true
         description: ARN of the dev OIDC role assumed for artifact upload. Not a secret (the security boundary is the OIDC trust policy + bucket immutability), so callers pass it as a plain input.
-      aws-prod-role-arn:
+      aws_prod_role_arn:
         type: string
         required: false
         default: ""
         description: ARN of the prod OIDC role (master push only). Empty string disables the prod upload steps.
-      dev-bucket:
+      dev_bucket:
         type: string
         required: true
         description: S3 bucket name for dev Lambda artifacts (set as REPRO_LAMBDA_BUCKET on the dev upload). Caller-supplied so the reusable workflow stays consumer-agnostic.
-      prod-bucket:
+      prod_bucket:
         type: string
         required: false
         default: ""
@@ -36,8 +32,8 @@ jobs:
     outputs:
       arches: ${{ steps.parse.outputs.arches }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
       - id: parse
         shell: bash
         run: |
@@ -65,36 +61,36 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
 
       - name: Configure AWS credentials (dev)
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ inputs.aws-dev-role-arn }}
+          role-to-assume: ${{ inputs.aws_dev_role_arn }}
           aws-region: eu-west-1
 
       - name: Build (dev bucket)
         env:
-          REPRO_LAMBDA_BUCKET: ${{ inputs.dev-bucket }}
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
+          REPRO_LAMBDA_BUCKET: ${{ inputs.dev_bucket }}
+        run: uvx --from repro-lambda repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Verify reproducible (PR only)
         if: github.event_name == 'pull_request'
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}" --verify --dry-run
+        run: uvx --from repro-lambda repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}" --verify --dry-run
 
       - name: Configure AWS credentials (prod)
-        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
-        uses: aws-actions/configure-aws-credentials@v4
+        if: github.ref == 'refs/heads/master' && inputs.aws_prod_role_arn != ''
+        uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ inputs.aws-prod-role-arn }}
+          role-to-assume: ${{ inputs.aws_prod_role_arn }}
           aws-region: eu-west-1
 
       - name: Build (prod bucket)
-        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
+        if: github.ref == 'refs/heads/master' && inputs.aws_prod_role_arn != ''
         env:
-          REPRO_LAMBDA_BUCKET: ${{ inputs.prod-bucket }}
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
+          REPRO_LAMBDA_BUCKET: ${{ inputs.prod_bucket }}
+        run: uvx --from repro-lambda repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Commit catalog drift (master only, dev bot)
         if: github.ref == 'refs/heads/master'

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/.github/workflows/ci.yml

@@ -9,8 +9,8 @@ jobs:
   lint-and-test:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
         with:
           enable-cache: true
       - run: uv sync --all-extras

repro_lambda-0.3.0/.github/workflows/promote.yml

@@ -0,0 +1,75 @@
+name: promote-lambdas (reusable)
+
+# Promote already-built dev artifacts to prod by content-addressed S3 copy.
+# No rebuild: the exact lambdas/<name>/<sha>.zip tested in dev is copied to the
+# prod bucket, so a cross-architecture prod runner can never diverge from dev.
+on:
+  workflow_call:
+    inputs:
+      manifest_path:
+        type: string
+        default: lambdas.toml
+        description: Path to lambdas.toml in the caller repo.
+      source_sha:
+        type: string
+        required: true
+        description: 40-char hex commit on the caller's master that produced the dev artifacts. Validated and checked out before reading the manifest/catalog.
+      promoter_role_arn:
+        type: string
+        required: true
+        description: ARN of the prod OIDC role assumed for the cross-account dev-read + prod-write copy. Not a secret (the boundary is the OIDC trust policy + bucket immutability).
+      dev_bucket:
+        type: string
+        required: true
+        description: Source (dev) base S3 bucket; us-east-1 variant auto-derived for Lambda@Edge.
+      prod_bucket:
+        type: string
+        required: true
+        description: Destination (prod) base S3 bucket; us-east-1 variant auto-derived for Lambda@Edge.
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  promote:
+    runs-on: ubuntu-24.04
+    env:
+      SOURCE_SHA: ${{ inputs.source_sha }}
+    steps:
+      # Validate source_sha BEFORE checkout to defend against script injection
+      # via the inputs.source_sha expression (passed through env: + bash regex).
+      - name: Validate source_sha shape (40-char hex)
+        run: |
+          if ! [[ "$SOURCE_SHA" =~ ^[a-f0-9]{40}$ ]]; then
+            echo "::error::source_sha must be 40-char lowercase hex; got '$SOURCE_SHA'"
+            exit 1
+          fi
+
+      - uses: actions/checkout@v7
+        with:
+          ref: ${{ env.SOURCE_SHA }}
+          fetch-depth: 0
+
+      - name: Validate source_sha is reachable from origin/master
+        run: |
+          git fetch origin master
+          if ! git merge-base --is-ancestor "$SOURCE_SHA" origin/master; then
+            echo "::error::source_sha=$SOURCE_SHA not on master lineage"
+            exit 1
+          fi
+
+      - uses: astral-sh/setup-uv@v8.2.0
+
+      - name: Configure AWS credentials (prod promoter)
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ inputs.promoter_role_arn }}
+          aws-region: eu-west-1
+
+      - name: Promote dev -> prod (content-addressed copy)
+        env:
+          REPRO_LAMBDA_DEV_BUCKET: ${{ inputs.dev_bucket }}
+          REPRO_LAMBDA_PROD_BUCKET: ${{ inputs.prod_bucket }}
+          MANIFEST_PATH: ${{ inputs.manifest_path }}
+        run: uvx --from repro-lambda repro-lambda promote --manifest "$MANIFEST_PATH"

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/.github/workflows/publish.yml

@@ -2,7 +2,9 @@ name: publish
 
 on:
   push:
-    tags: ["v*"]
+    # Full semver tags only (vX.Y.Z) trigger a PyPI release. The sliding major
+    # tag (v1), which consumer workflows pin via @v1, must NOT trigger publish.
+    tags: ["v*.*.*"]
 
 jobs:
   build-and-publish:
@@ -11,8 +13,8 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
       - run: uv sync --all-extras
 
       - name: Verify tag matches package version

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## v0.3.0 - 2026-06-21
+
+### Added
+- `promote` command: copy an already-built artifact from the dev bucket to the prod bucket by content hash, with no rebuild. The sha per lambda is read from `builds/catalog.json`, so the promoted object is byte-for-byte the one built and tested in dev. Idempotent (skips keys already present); Lambda@Edge specs resolve to the `-us-east-1` bucket variant on both sides. `S3Uploader.copy()` performs the server-side `CopyObject`.
+- Reusable workflow `promote.yml`: validates `source_sha` (40-char hex + master-lineage), checks it out, assumes a caller-supplied promoter role, and runs `promote`. Inputs: `manifest_path`, `source_sha`, `promoter_role_arn`, `dev_bucket`, `prod_bucket`.
+
+### Consumer migration
+- Replace a rebuild-on-prod `promote-to-prod` job with a call to the reusable workflow:
+
+      jobs:
+        promote:
+          uses: antonbabenko/repro-lambda/.github/workflows/promote.yml@v1
+          with:
+            source_sha: ${{ inputs.source_sha }}
+            promoter_role_arn: arn:aws:iam::<account>:role/<promoter-role>
+            dev_bucket: <env>-my-lambda-artifacts
+            prod_bucket: <env>-my-lambda-artifacts
+
+## v0.2.4 - 2026-06-20
+
+### Fixed
+- Container build no longer shells out to `find`/`xargs` (both absent from the minimal AWS Lambda base images, which caused `find: command not found`). The post-install cleanup (Python caches + non-deterministic `*.dist-info` metadata: RECORD, INSTALLER, direct_url.json, REQUESTED) now happens in the Python zip step via exclude globs, producing the same artifact bytes.
+
 ## v0.2.3 - 2026-06-20
 
 ### Fixed

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: repro-lambda
-Version: 0.2.3
+Version: 0.3.0
 Summary: Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf.
 Project-URL: Homepage, https://github.com/antonbabenko/repro-lambda
 Project-URL: Repository, https://github.com/antonbabenko/repro-lambda

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "repro-lambda"
-version = "0.2.3"
+version = "0.3.0"
 description = "Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf."
 readme = "README.md"
 requires-python = ">=3.11"

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/src/repro_lambda/__init__.py

@@ -1,3 +1,3 @@
 """repro-lambda — reproducible AWS Lambda packaging outside Terraform."""
 
-__version__ = "0.2.3"
+__version__ = "0.3.0"

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/src/repro_lambda/cli.py

@@ -169,6 +169,95 @@ def build(
     typer.echo(json.dumps(summary, indent=2))
 
 
+@app.command()
+def promote(
+    target: Annotated[str, typer.Argument(help="Lambda logical_name or 'all'.")] = "all",
+    manifest: Annotated[
+        Path,
+        typer.Option("--manifest", "-m", help="Path to lambdas.toml."),
+    ] = Path("lambdas.toml"),
+    dev_bucket: Annotated[
+        str,
+        typer.Option(
+            "--dev-bucket",
+            envvar="REPRO_LAMBDA_DEV_BUCKET",
+            help="Source (dev) base bucket; us-east-1 variant auto-derived.",
+        ),
+    ] = "",
+    prod_bucket: Annotated[
+        str,
+        typer.Option(
+            "--prod-bucket",
+            envvar="REPRO_LAMBDA_PROD_BUCKET",
+            help="Destination (prod) base bucket; us-east-1 variant auto-derived.",
+        ),
+    ] = "",
+    dry_run: Annotated[bool, typer.Option("--dry-run")] = False,
+) -> None:
+    """Copy built artifacts dev -> prod by content hash (no rebuild).
+
+    The sha per lambda is read from builds/catalog.json, so the artifact promoted
+    is exactly the one the source commit built and tested in dev.
+    """
+    import json
+
+    from repro_lambda.manifest import load_manifest
+    from repro_lambda.promote import (
+        MissingSourceArtifactError,
+        UnknownShaError,
+        promote_one,
+        sha_from_catalog,
+    )
+
+    repo_root = manifest.parent.resolve()
+    parsed = load_manifest(manifest)
+
+    selected = (
+        parsed.lambdas
+        if target == "all"
+        else [s for s in parsed.lambdas if s.logical_name == target]
+    )
+    if not selected:
+        typer.echo(f"no lambda named {target!r} in {manifest}", err=True)
+        raise typer.Exit(2)
+
+    if not dry_run and (not dev_bucket or not prod_bucket):
+        typer.echo(
+            "--dev-bucket and --prod-bucket (or REPRO_LAMBDA_DEV_BUCKET / "
+            "REPRO_LAMBDA_PROD_BUCKET) are required for non-dry-run",
+            err=True,
+        )
+        raise typer.Exit(2)
+
+    catalog_path = repo_root / "builds" / "catalog.json"
+    summary = []
+    for spec in selected:
+        try:
+            sha = sha_from_catalog(catalog_path, spec.logical_name)
+            outcome = promote_one(
+                spec=spec,
+                sha=sha,
+                dev_bucket=dev_bucket,
+                prod_bucket=prod_bucket,
+                dry_run=dry_run,
+            )
+        except (MissingSourceArtifactError, UnknownShaError) as e:
+            typer.echo(str(e), err=True)
+            raise typer.Exit(1) from e
+        summary.append(
+            {
+                "logical_name": spec.logical_name,
+                "outcome": outcome.outcome.value,
+                "sha256": outcome.sha256,
+                "bucket_key": outcome.bucket_key,
+                "src_bucket": outcome.src_bucket,
+                "dst_bucket": outcome.dst_bucket,
+            }
+        )
+
+    typer.echo(json.dumps(summary, indent=2))
+
+
 @app.command()
 def lock(
     manifest: Annotated[Path, typer.Option("--manifest", "-m")] = Path("lambdas.toml"),
@@ -220,11 +309,24 @@ def init() -> None:
     raise typer.Exit(0)
 
 
+# Stripped from every lambda zip so the container build needs no findutils/xargs
+# (absent from minimal Lambda base images): Python caches and the non-deterministic
+# dist-info metadata files pip writes (RECORD, INSTALLER, direct_url.json, REQUESTED).
+_LAMBDA_ZIP_EXCLUDES = [
+    "*__pycache__*",
+    "*.pyc",
+    "*.dist-info/RECORD",
+    "*.dist-info/INSTALLER",
+    "*.dist-info/direct_url.json",
+    "*.dist-info/REQUESTED",
+]
+
+
 def _zip_impl(src: Path, out: Path) -> None:
     """Pack a directory into a deterministic zip (used inside container)."""
     from repro_lambda.zip_packager import pack_directory
 
-    pack_directory(src, out)
+    pack_directory(src, out, exclude_glob=_LAMBDA_ZIP_EXCLUDES)
 
 
 @app.command(name="zip")

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/src/repro_lambda/docker_runner.py

@@ -50,15 +50,9 @@ pip install \
   --target "$PKG" \
   --requirement /src/requirements.lock
 
-# v0.1 byte-output cleanup: strip non-deterministic install metadata + caches.
-find "$PKG" -type d -name "__pycache__" -prune -exec sh -c 'for d; do rm -rf -- "$d"; done' _ {} +
-find "$PKG" -type f -name "*.pyc" -delete
-find "$PKG" -type d -name "*.dist-info" -exec sh -c '
-  for d; do
-    rm -f -- "$d/RECORD" "$d/INSTALLER" "$d/direct_url.json" "$d/REQUESTED"
-  done
-' _ {} +
-
+# Byte-output cleanup (caches + non-deterministic dist-info metadata) happens in the
+# Python zip step below, so this script needs no findutils/xargs (both absent from the
+# minimal AWS Lambda base images).
 python3 -m repro_lambda zip --src "$PKG" --out /out/lambda.zip
 """
 

repro_lambda-0.3.0/src/repro_lambda/promote.py

@@ -0,0 +1,91 @@
+"""Promote a built lambda artifact from the dev bucket to the prod bucket.
+
+Promotion is a content-addressed S3 copy: the exact `lambdas/<name>/<sha>.zip`
+object already built and verified against the dev bucket is copied byte-for-byte
+to the prod bucket. There is no rebuild, so a cross-architecture prod runner can
+never produce a different artifact than the one tested in dev.
+
+The sha to promote comes from `builds/catalog.json` (the bounded build history
+committed to the source repo), so a promote always targets the artifact the
+source commit recorded.
+"""
+
+from __future__ import annotations
+
+import enum
+from dataclasses import dataclass
+from pathlib import Path
+
+from repro_lambda.build import _bucket_for
+from repro_lambda.catalog import load_catalog
+from repro_lambda.manifest import LambdaSpec
+from repro_lambda.s3_uploader import S3Uploader, UploadResult
+
+
+class PromoteResult(enum.Enum):
+    PROMOTED = "promoted"
+    ALREADY_PRESENT = "already_present"
+    DRY_RUN = "dry_run"
+
+
+@dataclass
+class PromoteOutcome:
+    outcome: PromoteResult
+    sha256: str
+    bucket_key: str
+    src_bucket: str
+    dst_bucket: str
+
+
+class MissingSourceArtifactError(RuntimeError):
+    """The dev artifact to promote does not exist (build dev first)."""
+
+
+class UnknownShaError(RuntimeError):
+    """builds/catalog.json has no current sha for the requested lambda."""
+
+
+def sha_from_catalog(catalog_path: Path, logical_name: str) -> str:
+    """Return the current sha recorded for `logical_name`, or raise UnknownShaError."""
+    catalog = load_catalog(catalog_path)
+    lc = catalog.lambdas.get(logical_name)
+    if lc is None or not lc.current:
+        raise UnknownShaError(
+            f"no catalog entry for {logical_name!r} in {catalog_path}; "
+            f"build the dev artifact before promoting"
+        )
+    return lc.current
+
+
+def promote_one(
+    *,
+    spec: LambdaSpec,
+    sha: str,
+    dev_bucket: str,
+    prod_bucket: str,
+    uploader: S3Uploader | None = None,
+    dry_run: bool = False,
+) -> PromoteOutcome:
+    """Copy one lambda's `<sha>.zip` from the dev bucket to the prod bucket.
+
+    Lambda@Edge specs (region us-east-1) resolve to the `-us-east-1` bucket
+    variant on both sides, matching the build-side key scheme exactly.
+    """
+    src_bucket = _bucket_for(spec, dev_bucket)
+    dst_bucket = _bucket_for(spec, prod_bucket)
+    key = f"lambdas/{spec.logical_name}/{sha}.zip"
+
+    if dry_run:
+        return PromoteOutcome(PromoteResult.DRY_RUN, sha, key, src_bucket, dst_bucket)
+
+    up = uploader or S3Uploader(region=spec.region)
+    if not up.exists(bucket=src_bucket, key=key):
+        raise MissingSourceArtifactError(
+            f"{spec.logical_name}: source artifact missing at s3://{src_bucket}/{key}"
+        )
+
+    result = up.copy(src_bucket=src_bucket, dst_bucket=dst_bucket, key=key)
+    outcome = (
+        PromoteResult.PROMOTED if result is UploadResult.UPLOADED else PromoteResult.ALREADY_PRESENT
+    )
+    return PromoteOutcome(outcome, sha, key, src_bucket, dst_bucket)

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/src/repro_lambda/s3_uploader.py

@@ -28,6 +28,25 @@ class S3Uploader:
                 return False
             raise
 
+    def copy(self, *, src_bucket: str, dst_bucket: str, key: str) -> UploadResult:
+        """
+        Server-side copy of the same key from src_bucket to dst_bucket.
+
+        Idempotent via a destination existence pre-check; safe because artifact
+        buckets are content-addressed and immutable (the same key never changes
+        bytes). Returns ALREADY_PRESENT if the destination key already exists,
+        UPLOADED otherwise.
+        """
+        if self.exists(bucket=dst_bucket, key=key):
+            return UploadResult.ALREADY_PRESENT
+        self._client.copy_object(
+            Bucket=dst_bucket,
+            Key=key,
+            CopySource={"Bucket": src_bucket, "Key": key},
+            ServerSideEncryption="AES256",
+        )
+        return UploadResult.UPLOADED
+
     def upload(self, *, bucket: str, key: str, body_path: Path) -> UploadResult:
         """
         PutObject with If-None-Match=*.

repro_lambda-0.3.0/tests/test_promote.py

@@ -0,0 +1,228 @@
+"""Promote (dev -> prod copy by content hash) unit + CLI coverage."""
+
+from pathlib import Path
+
+import boto3
+import pytest
+from moto import mock_aws
+from typer.testing import CliRunner
+
+from repro_lambda.cli import app
+from repro_lambda.manifest import LambdaSpec
+from repro_lambda.promote import (
+    MissingSourceArtifactError,
+    PromoteResult,
+    UnknownShaError,
+    promote_one,
+    sha_from_catalog,
+)
+from repro_lambda.s3_uploader import S3Uploader, UploadResult
+
+runner = CliRunner()
+
+DEV = "dev-test-lambda-artifacts"
+PROD = "prod-test-lambda-artifacts"
+
+
+def _make_bucket(client, name: str, region: str) -> None:
+    if region == "us-east-1":
+        client.create_bucket(Bucket=name)
+    else:
+        client.create_bucket(Bucket=name, CreateBucketConfiguration={"LocationConstraint": region})
+
+
+def _spec(name: str, *, region: str = "eu-west-1", at_edge: bool = False) -> LambdaSpec:
+    return LambdaSpec(
+        logical_name=name,
+        source_dir="handler",
+        requirements_lock="handler/requirements.${arch}.lock",
+        runtime="python3.13",
+        arch="x86_64" if at_edge else "arm64",
+        handler="app.lambda_handler",
+        region=region,
+        lambda_at_edge=at_edge,
+    )
+
+
+# --- S3Uploader.copy -------------------------------------------------------
+
+
+def test_copy_uploads_then_reports_already_present():
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+        c.put_object(Bucket=DEV, Key="lambdas/app/abc.zip", Body=b"PK\x05\x06" + b"\x00" * 18)
+
+        up = S3Uploader(region="eu-west-1")
+        first = up.copy(src_bucket=DEV, dst_bucket=PROD, key="lambdas/app/abc.zip")
+        second = up.copy(src_bucket=DEV, dst_bucket=PROD, key="lambdas/app/abc.zip")
+
+        assert first == UploadResult.UPLOADED
+        assert second == UploadResult.ALREADY_PRESENT
+        assert up.exists(bucket=PROD, key="lambdas/app/abc.zip")
+
+
+# --- promote_one -----------------------------------------------------------
+
+
+def test_promote_one_copies_regional_lambda():
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+        c.put_object(Bucket=DEV, Key="lambdas/app/sha1.zip", Body=b"z")
+
+        out = promote_one(spec=_spec("app"), sha="sha1", dev_bucket=DEV, prod_bucket=PROD)
+
+        assert out.outcome == PromoteResult.PROMOTED
+        assert out.src_bucket == DEV
+        assert out.dst_bucket == PROD
+        assert out.bucket_key == "lambdas/app/sha1.zip"
+        assert c.head_object(Bucket=PROD, Key="lambdas/app/sha1.zip")
+
+
+def test_promote_one_edge_lambda_uses_us_east_1_bucket_variant():
+    with mock_aws():
+        eu = boto3.client("s3", region_name="eu-west-1")
+        us = boto3.client("s3", region_name="us-east-1")
+        _make_bucket(eu, DEV, "eu-west-1")
+        _make_bucket(eu, PROD, "eu-west-1")
+        _make_bucket(us, f"{DEV}-us-east-1", "us-east-1")
+        _make_bucket(us, f"{PROD}-us-east-1", "us-east-1")
+        us.put_object(Bucket=f"{DEV}-us-east-1", Key="lambdas/edge/e1.zip", Body=b"z")
+
+        out = promote_one(
+            spec=_spec("edge", region="us-east-1", at_edge=True),
+            sha="e1",
+            dev_bucket=DEV,
+            prod_bucket=PROD,
+        )
+
+        assert out.src_bucket == f"{DEV}-us-east-1"
+        assert out.dst_bucket == f"{PROD}-us-east-1"
+        assert us.head_object(Bucket=f"{PROD}-us-east-1", Key="lambdas/edge/e1.zip")
+
+
+def test_promote_one_missing_source_raises():
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+
+        with pytest.raises(MissingSourceArtifactError):
+            promote_one(spec=_spec("app"), sha="missing", dev_bucket=DEV, prod_bucket=PROD)
+
+
+def test_promote_one_dry_run_touches_no_s3():
+    out = promote_one(spec=_spec("app"), sha="sha1", dev_bucket=DEV, prod_bucket=PROD, dry_run=True)
+    assert out.outcome == PromoteResult.DRY_RUN
+    assert out.bucket_key == "lambdas/app/sha1.zip"
+
+
+# --- sha_from_catalog ------------------------------------------------------
+
+
+def test_sha_from_catalog_reads_current(tmp_path: Path):
+    catalog = tmp_path / "catalog.json"
+    catalog.write_text(
+        '{"schema_version": 1, "lambdas": {"app": {"current": "deadbeef", "history": []}}}\n'
+    )
+    assert sha_from_catalog(catalog, "app") == "deadbeef"
+
+
+def test_sha_from_catalog_unknown_lambda_raises(tmp_path: Path):
+    catalog = tmp_path / "catalog.json"
+    catalog.write_text('{"schema_version": 1, "lambdas": {}}\n')
+    with pytest.raises(UnknownShaError):
+        sha_from_catalog(catalog, "app")
+
+
+# --- CLI -------------------------------------------------------------------
+
+
+def _consumer(tmp_path: Path) -> Path:
+    repo = tmp_path / "consumer"
+    (repo / "handler").mkdir(parents=True)
+    (repo / "lambdas.toml").write_text(
+        "[[lambda]]\n"
+        'logical_name      = "app"\n'
+        'source_dir        = "handler"\n'
+        'requirements_lock = "handler/requirements.${arch}.lock"\n'
+        'runtime           = "python3.13"\n'
+        'arch              = "arm64"\n'
+        'handler           = "app.lambda_handler"\n'
+        'region            = "eu-west-1"\n'
+        "\n"
+        "[builder]\n"
+        'base_image_python = "public.ecr.aws/lambda/python:3.13@sha256:' + "0" * 64 + '"\n'
+    )
+    (repo / "builds").mkdir()
+    (repo / "builds" / "catalog.json").write_text(
+        '{"schema_version": 1, "lambdas": {"app": {"current": "cafef00d", "history": []}}}\n'
+    )
+    return repo
+
+
+def test_cli_promote_copies_from_catalog(tmp_path: Path):
+    repo = _consumer(tmp_path)
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+        c.put_object(Bucket=DEV, Key="lambdas/app/cafef00d.zip", Body=b"z")
+
+        result = runner.invoke(
+            app,
+            [
+                "promote",
+                "app",
+                "--manifest",
+                str(repo / "lambdas.toml"),
+                "--dev-bucket",
+                DEV,
+                "--prod-bucket",
+                PROD,
+            ],
+        )
+        assert result.exit_code == 0, result.stdout
+        assert "promoted" in result.stdout
+        assert c.head_object(Bucket=PROD, Key="lambdas/app/cafef00d.zip")
+
+
+def test_cli_promote_dry_run_touches_no_s3(tmp_path: Path):
+    repo = _consumer(tmp_path)
+    result = runner.invoke(
+        app,
+        [
+            "promote",
+            "app",
+            "--manifest",
+            str(repo / "lambdas.toml"),
+            "--dev-bucket",
+            DEV,
+            "--prod-bucket",
+            PROD,
+            "--dry-run",
+        ],
+    )
+    assert result.exit_code == 0, result.stdout
+    assert "dry_run" in result.stdout
+
+
+def test_cli_promote_unknown_target_exits_2(tmp_path: Path):
+    repo = _consumer(tmp_path)
+    result = runner.invoke(
+        app,
+        [
+            "promote",
+            "nope",
+            "--manifest",
+            str(repo / "lambdas.toml"),
+            "--dev-bucket",
+            DEV,
+            "--prod-bucket",
+            PROD,
+        ],
+    )
+    assert result.exit_code == 2

repro_lambda-0.3.0/tests/test_zip_excludes.py

@@ -0,0 +1,38 @@
+from pathlib import Path
+from zipfile import ZipFile
+
+from typer.testing import CliRunner
+
+from repro_lambda.cli import app
+
+runner = CliRunner()
+
+
+def test_zip_excludes_caches_and_dist_info_metadata(tmp_path: Path):
+    """`repro-lambda zip` strips caches + non-deterministic dist-info metadata,
+    so the container build needs no find/xargs (absent from minimal base images)."""
+    pkg = tmp_path / "pkg"
+    (pkg / "mymod").mkdir(parents=True)
+    (pkg / "mymod" / "__init__.py").write_text("x = 1\n")
+    (pkg / "mymod" / "__pycache__").mkdir()
+    (pkg / "mymod" / "__pycache__" / "__init__.cpython-313.pyc").write_bytes(b"\x00")
+    (pkg / "mymod" / "stale.pyc").write_bytes(b"\x00")
+    dist = pkg / "req-1.0.dist-info"
+    dist.mkdir()
+    (dist / "RECORD").write_text("mymod/__init__.py,,\n")
+    (dist / "INSTALLER").write_text("pip\n")
+    (dist / "METADATA").write_text("Name: req\n")
+
+    out = tmp_path / "lambda.zip"
+    result = runner.invoke(app, ["zip", "--src", str(pkg), "--out", str(out)])
+    assert result.exit_code == 0, result.stdout
+
+    names = ZipFile(out).namelist()
+    # kept: real code + stable dist-info metadata
+    assert "mymod/__init__.py" in names
+    assert "req-1.0.dist-info/METADATA" in names
+    # stripped: caches + non-deterministic metadata
+    assert not any("__pycache__" in n for n in names)
+    assert not any(n.endswith(".pyc") for n in names)
+    assert "req-1.0.dist-info/RECORD" not in names
+    assert "req-1.0.dist-info/INSTALLER" not in names

{repro_lambda-0.2.3 → repro_lambda-0.3.0}/uv.lock

@@ -646,7 +646,7 @@ wheels = [
 
 [[package]]
 name = "repro-lambda"
-version = "0.2.3"
+version = "0.3.0"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },