repro-lambda 0.2.4__tar.gz → 0.4.0__tar.gz

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/.github/workflows/build.yml

@@ -7,24 +7,20 @@ on:
         type: string
         default: lambdas.toml
         description: Path to lambdas.toml in the caller repo.
-      repro_lambda_version:
-        type: string
-        default: "0.2.4"
-        description: Pinned repro-lambda PyPI version.
-      aws-dev-role-arn:
+      aws_dev_role_arn:
         type: string
         required: true
         description: ARN of the dev OIDC role assumed for artifact upload. Not a secret (the security boundary is the OIDC trust policy + bucket immutability), so callers pass it as a plain input.
-      aws-prod-role-arn:
+      aws_prod_role_arn:
         type: string
         required: false
         default: ""
         description: ARN of the prod OIDC role (master push only). Empty string disables the prod upload steps.
-      dev-bucket:
+      dev_bucket:
         type: string
         required: true
         description: S3 bucket name for dev Lambda artifacts (set as REPRO_LAMBDA_BUCKET on the dev upload). Caller-supplied so the reusable workflow stays consumer-agnostic.
-      prod-bucket:
+      prod_bucket:
         type: string
         required: false
         default: ""
@@ -36,8 +32,8 @@ jobs:
     outputs:
       arches: ${{ steps.parse.outputs.arches }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
       - id: parse
         shell: bash
         run: |
@@ -65,36 +61,36 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
 
       - name: Configure AWS credentials (dev)
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ inputs.aws-dev-role-arn }}
+          role-to-assume: ${{ inputs.aws_dev_role_arn }}
           aws-region: eu-west-1
 
       - name: Build (dev bucket)
         env:
-          REPRO_LAMBDA_BUCKET: ${{ inputs.dev-bucket }}
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
+          REPRO_LAMBDA_BUCKET: ${{ inputs.dev_bucket }}
+        run: uvx --from repro-lambda repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Verify reproducible (PR only)
         if: github.event_name == 'pull_request'
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}" --verify --dry-run
+        run: uvx --from repro-lambda repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}" --verify --dry-run
 
       - name: Configure AWS credentials (prod)
-        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
-        uses: aws-actions/configure-aws-credentials@v4
+        if: github.ref == 'refs/heads/master' && inputs.aws_prod_role_arn != ''
+        uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ inputs.aws-prod-role-arn }}
+          role-to-assume: ${{ inputs.aws_prod_role_arn }}
           aws-region: eu-west-1
 
       - name: Build (prod bucket)
-        if: github.ref == 'refs/heads/master' && inputs.aws-prod-role-arn != ''
+        if: github.ref == 'refs/heads/master' && inputs.aws_prod_role_arn != ''
         env:
-          REPRO_LAMBDA_BUCKET: ${{ inputs.prod-bucket }}
-        run: uvx --from "repro-lambda==${{ inputs.repro_lambda_version }}" repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
+          REPRO_LAMBDA_BUCKET: ${{ inputs.prod_bucket }}
+        run: uvx --from repro-lambda repro-lambda build --manifest "${{ inputs.manifest_path }}" --arch "${{ matrix.arch }}"
 
       - name: Commit catalog drift (master only, dev bot)
         if: github.ref == 'refs/heads/master'

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/.github/workflows/ci.yml

@@ -9,8 +9,8 @@ jobs:
   lint-and-test:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
         with:
           enable-cache: true
       - run: uv sync --all-extras

repro_lambda-0.4.0/.github/workflows/promote.yml

@@ -0,0 +1,75 @@
+name: promote-lambdas (reusable)
+
+# Promote already-built dev artifacts to prod by content-addressed S3 copy.
+# No rebuild: the exact lambdas/<name>/<sha>.zip tested in dev is copied to the
+# prod bucket, so a cross-architecture prod runner can never diverge from dev.
+on:
+  workflow_call:
+    inputs:
+      manifest_path:
+        type: string
+        default: lambdas.toml
+        description: Path to lambdas.toml in the caller repo.
+      source_sha:
+        type: string
+        required: true
+        description: 40-char hex commit on the caller's master that produced the dev artifacts. Validated and checked out before reading the manifest/catalog.
+      promoter_role_arn:
+        type: string
+        required: true
+        description: ARN of the prod OIDC role assumed for the cross-account dev-read + prod-write copy. Not a secret (the boundary is the OIDC trust policy + bucket immutability).
+      dev_bucket:
+        type: string
+        required: true
+        description: Source (dev) base S3 bucket; us-east-1 variant auto-derived for Lambda@Edge.
+      prod_bucket:
+        type: string
+        required: true
+        description: Destination (prod) base S3 bucket; us-east-1 variant auto-derived for Lambda@Edge.
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  promote:
+    runs-on: ubuntu-24.04
+    env:
+      SOURCE_SHA: ${{ inputs.source_sha }}
+    steps:
+      # Validate source_sha BEFORE checkout to defend against script injection
+      # via the inputs.source_sha expression (passed through env: + bash regex).
+      - name: Validate source_sha shape (40-char hex)
+        run: |
+          if ! [[ "$SOURCE_SHA" =~ ^[a-f0-9]{40}$ ]]; then
+            echo "::error::source_sha must be 40-char lowercase hex; got '$SOURCE_SHA'"
+            exit 1
+          fi
+
+      - uses: actions/checkout@v7
+        with:
+          ref: ${{ env.SOURCE_SHA }}
+          fetch-depth: 0
+
+      - name: Validate source_sha is reachable from origin/master
+        run: |
+          git fetch origin master
+          if ! git merge-base --is-ancestor "$SOURCE_SHA" origin/master; then
+            echo "::error::source_sha=$SOURCE_SHA not on master lineage"
+            exit 1
+          fi
+
+      - uses: astral-sh/setup-uv@v8.2.0
+
+      - name: Configure AWS credentials (prod promoter)
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ inputs.promoter_role_arn }}
+          aws-region: eu-west-1
+
+      - name: Promote dev -> prod (content-addressed copy)
+        env:
+          REPRO_LAMBDA_DEV_BUCKET: ${{ inputs.dev_bucket }}
+          REPRO_LAMBDA_PROD_BUCKET: ${{ inputs.prod_bucket }}
+          MANIFEST_PATH: ${{ inputs.manifest_path }}
+        run: uvx --from repro-lambda repro-lambda promote --manifest "$MANIFEST_PATH"

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/.github/workflows/publish.yml

@@ -2,7 +2,9 @@ name: publish
 
 on:
   push:
-    tags: ["v*"]
+    # Full semver tags only (vX.Y.Z) trigger a PyPI release. The sliding major
+    # tag (v1), which consumer workflows pin via @v1, must NOT trigger publish.
+    tags: ["v*.*.*"]
 
 jobs:
   build-and-publish:
@@ -11,8 +13,8 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: astral-sh/setup-uv@v3
+      - uses: actions/checkout@v7
+      - uses: astral-sh/setup-uv@v8.2.0
       - run: uv sync --all-extras
 
       - name: Verify tag matches package version

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## v0.4.0 - 2026-06-21
+
+### Added
+- `extra_files` manifest field: bundle prebuilt files or directories into a lambda package alongside its source. Each `[[lambda.extra_files]]` entry has `src` (repo-root-relative, where CI materialized it - e.g. a digest-pinned binary or an extracted release tree), `dest` (package-root-relative), and an optional `executable` flag (sets +x on a file; ignored for directories, which keep source perms). The bytes fold into the content hash via the staged source tree, and the executable bit folds in separately, so flipping it changes the artifact hash even when bytes are identical. This lets a lambda ship vendored CLIs or release trees the consumer's CI downloads and verifies, while the tool itself stays free of any network/tool-download logic. Paths are validated as relative and `..`-free. Specs without `extra_files` hash byte-identically to before.
+
+## v0.3.0 - 2026-06-21
+
+### Added
+- `promote` command: copy an already-built artifact from the dev bucket to the prod bucket by content hash, with no rebuild. The sha per lambda is read from `builds/catalog.json`, so the promoted object is byte-for-byte the one built and tested in dev. Idempotent (skips keys already present); Lambda@Edge specs resolve to the `-us-east-1` bucket variant on both sides. `S3Uploader.copy()` performs the server-side `CopyObject`.
+- Reusable workflow `promote.yml`: validates `source_sha` (40-char hex + master-lineage), checks it out, assumes a caller-supplied promoter role, and runs `promote`. Inputs: `manifest_path`, `source_sha`, `promoter_role_arn`, `dev_bucket`, `prod_bucket`.
+
+### Consumer migration
+- Replace a rebuild-on-prod `promote-to-prod` job with a call to the reusable workflow:
+
+      jobs:
+        promote:
+          uses: antonbabenko/repro-lambda/.github/workflows/promote.yml@v1
+          with:
+            source_sha: ${{ inputs.source_sha }}
+            promoter_role_arn: arn:aws:iam::<account>:role/<promoter-role>
+            dev_bucket: <env>-my-lambda-artifacts
+            prod_bucket: <env>-my-lambda-artifacts
+
 ## v0.2.4 - 2026-06-20
 
 ### Fixed

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: repro-lambda
-Version: 0.2.4
+Version: 0.4.0
 Summary: Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf.
 Project-URL: Homepage, https://github.com/antonbabenko/repro-lambda
 Project-URL: Repository, https://github.com/antonbabenko/repro-lambda

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "repro-lambda"
-version = "0.2.4"
+version = "0.4.0"
 description = "Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf."
 readme = "README.md"
 requires-python = ">=3.11"

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/src/repro_lambda/__init__.py

@@ -1,3 +1,3 @@
 """repro-lambda — reproducible AWS Lambda packaging outside Terraform."""
 
-__version__ = "0.2.4"
+__version__ = "0.4.0"

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/src/repro_lambda/build.py

@@ -75,6 +75,7 @@ def compute_sha_for(
             builder=builder,
             stage_dir=stage_dir,
             extra_files=extras,
+            payload_files=list(spec.extra_files),
         )
         return compute_content_hash(
             staged_source_root=stage_dir / "source",
@@ -83,6 +84,7 @@ def compute_sha_for(
             base_image=primary_base_image,
             builder_version=__version__,
             extra_files=extras,
+            payload_exec=[(ef.dest, ef.executable) for ef in spec.extra_files],
         )
 
 
@@ -113,6 +115,7 @@ def build_one(
             builder=builder,
             stage_dir=stage_dir,
             extra_files=extras,
+            payload_files=list(spec.extra_files),
         )
 
         sha = compute_content_hash(
@@ -122,6 +125,7 @@ def build_one(
             base_image=primary_base_image,
             builder_version=__version__,
             extra_files=extras,
+            payload_exec=[(ef.dest, ef.executable) for ef in spec.extra_files],
         )
         bucket_key = f"lambdas/{spec.logical_name}/{sha}.zip"
 

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/src/repro_lambda/cli.py

@@ -169,6 +169,95 @@ def build(
     typer.echo(json.dumps(summary, indent=2))
 
 
+@app.command()
+def promote(
+    target: Annotated[str, typer.Argument(help="Lambda logical_name or 'all'.")] = "all",
+    manifest: Annotated[
+        Path,
+        typer.Option("--manifest", "-m", help="Path to lambdas.toml."),
+    ] = Path("lambdas.toml"),
+    dev_bucket: Annotated[
+        str,
+        typer.Option(
+            "--dev-bucket",
+            envvar="REPRO_LAMBDA_DEV_BUCKET",
+            help="Source (dev) base bucket; us-east-1 variant auto-derived.",
+        ),
+    ] = "",
+    prod_bucket: Annotated[
+        str,
+        typer.Option(
+            "--prod-bucket",
+            envvar="REPRO_LAMBDA_PROD_BUCKET",
+            help="Destination (prod) base bucket; us-east-1 variant auto-derived.",
+        ),
+    ] = "",
+    dry_run: Annotated[bool, typer.Option("--dry-run")] = False,
+) -> None:
+    """Copy built artifacts dev -> prod by content hash (no rebuild).
+
+    The sha per lambda is read from builds/catalog.json, so the artifact promoted
+    is exactly the one the source commit built and tested in dev.
+    """
+    import json
+
+    from repro_lambda.manifest import load_manifest
+    from repro_lambda.promote import (
+        MissingSourceArtifactError,
+        UnknownShaError,
+        promote_one,
+        sha_from_catalog,
+    )
+
+    repo_root = manifest.parent.resolve()
+    parsed = load_manifest(manifest)
+
+    selected = (
+        parsed.lambdas
+        if target == "all"
+        else [s for s in parsed.lambdas if s.logical_name == target]
+    )
+    if not selected:
+        typer.echo(f"no lambda named {target!r} in {manifest}", err=True)
+        raise typer.Exit(2)
+
+    if not dry_run and (not dev_bucket or not prod_bucket):
+        typer.echo(
+            "--dev-bucket and --prod-bucket (or REPRO_LAMBDA_DEV_BUCKET / "
+            "REPRO_LAMBDA_PROD_BUCKET) are required for non-dry-run",
+            err=True,
+        )
+        raise typer.Exit(2)
+
+    catalog_path = repo_root / "builds" / "catalog.json"
+    summary = []
+    for spec in selected:
+        try:
+            sha = sha_from_catalog(catalog_path, spec.logical_name)
+            outcome = promote_one(
+                spec=spec,
+                sha=sha,
+                dev_bucket=dev_bucket,
+                prod_bucket=prod_bucket,
+                dry_run=dry_run,
+            )
+        except (MissingSourceArtifactError, UnknownShaError) as e:
+            typer.echo(str(e), err=True)
+            raise typer.Exit(1) from e
+        summary.append(
+            {
+                "logical_name": spec.logical_name,
+                "outcome": outcome.outcome.value,
+                "sha256": outcome.sha256,
+                "bucket_key": outcome.bucket_key,
+                "src_bucket": outcome.src_bucket,
+                "dst_bucket": outcome.dst_bucket,
+            }
+        )
+
+    typer.echo(json.dumps(summary, indent=2))
+
+
 @app.command()
 def lock(
     manifest: Annotated[Path, typer.Option("--manifest", "-m")] = Path("lambdas.toml"),

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/src/repro_lambda/hasher.py

@@ -24,6 +24,7 @@ def compute_content_hash(
     builder_version: str,
     *,
     extra_files: list[tuple[Path, str]] | None = None,
+    payload_exec: list[tuple[str, bool]] | None = None,
 ) -> str:
     """
     sha256 over: sorted (relative-path, sha256(content)) tuples for the staged tree
@@ -72,4 +73,13 @@ def compute_content_hash(
             h.update(_sha256_file(src).encode("ascii"))
             h.update(b"\n")
 
+    # Payload extra_files (prebuilt binaries/trees) are already hashed by content
+    # via the staged source tree above; fold in their executable bit here so that
+    # flipping +x changes the artifact hash even when bytes are unchanged. Omitted
+    # entirely when empty, preserving byte-identical hashes for specs with none.
+    if payload_exec:
+        h.update(b"---payload-exec---\n")
+        for dest, executable in sorted(payload_exec):
+            h.update(f"{dest}={int(executable)}\n".encode())
+
     return h.hexdigest()

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/src/repro_lambda/manifest.py

@@ -17,6 +17,24 @@ SUPPORTED_ARCHS: tuple[str, ...] = ("arm64", "x86_64")
 SUPPORTED_PACKAGE_MANAGERS = {"pip", "npm"}
 
 
+@dataclass(frozen=True)
+class ExtraFile:
+    """A prebuilt file or directory staged into the package alongside the source.
+
+    `src` is relative to the repo root (where the caller's CI materialized it, e.g.
+    a downloaded + digest-pinned binary or an extracted release tree). `dest` is
+    where it lands in the package (relative to the package root). For a file,
+    `executable` sets the +x bit; for a directory, source perms are preserved and
+    `executable` is ignored. The bytes fold into the content hash via the staged
+    source tree; the executable flag folds in separately, so flipping it changes
+    the artifact hash even when bytes are unchanged.
+    """
+
+    src: str
+    dest: str
+    executable: bool = False
+
+
 @dataclass(frozen=True)
 class LambdaSpec:
     logical_name: str
@@ -30,6 +48,7 @@ class LambdaSpec:
     lambda_at_edge: bool = False
     hash_extra: str = ""
     package_json: str = ""
+    extra_files: tuple[ExtraFile, ...] = ()
 
     @property
     def resolved_requirements_lock(self) -> str:
@@ -63,6 +82,26 @@ class Manifest:
     builder: BuilderConfig
 
 
+def _parse_extra_files(path: Path, entry: dict) -> tuple[ExtraFile, ...]:
+    """Parse + validate a lambda's optional [[lambda.extra_files]] entries."""
+    parsed: list[ExtraFile] = []
+    for ef in entry.get("extra_files", []):
+        src = ef.get("src", "")
+        dest = ef.get("dest", "")
+        if not src or not dest:
+            raise ValueError(
+                f"{path}: extra_files entry requires non-empty 'src' and 'dest' (got {ef!r})"
+            )
+        for field_name, value in (("src", src), ("dest", dest)):
+            if value.startswith("/") or ".." in Path(value).parts:
+                raise ValueError(
+                    f"{path}: extra_files {field_name}={value!r} must be a relative path "
+                    f"without '..' (src is repo-root-relative, dest is package-root-relative)"
+                )
+        parsed.append(ExtraFile(src=src, dest=dest, executable=bool(ef.get("executable", False))))
+    return tuple(parsed)
+
+
 def load_manifest(path: Path) -> Manifest:
     """Parse lambdas.toml and validate semantic invariants."""
     with path.open("rb") as f:
@@ -119,6 +158,8 @@ def load_manifest(path: Path) -> Manifest:
                 f"point it at the lambda's package.json relative to repo root"
             )
 
+        extra_files = _parse_extra_files(path, entry)
+
         lambdas.append(
             LambdaSpec(
                 logical_name=entry["logical_name"],
@@ -132,6 +173,7 @@ def load_manifest(path: Path) -> Manifest:
                 package_manager=pkg,
                 lambda_at_edge=bool(entry.get("lambda_at_edge", False)),
                 hash_extra=entry.get("hash_extra", ""),
+                extra_files=extra_files,
             )
         )
 

repro_lambda-0.4.0/src/repro_lambda/promote.py

@@ -0,0 +1,91 @@
+"""Promote a built lambda artifact from the dev bucket to the prod bucket.
+
+Promotion is a content-addressed S3 copy: the exact `lambdas/<name>/<sha>.zip`
+object already built and verified against the dev bucket is copied byte-for-byte
+to the prod bucket. There is no rebuild, so a cross-architecture prod runner can
+never produce a different artifact than the one tested in dev.
+
+The sha to promote comes from `builds/catalog.json` (the bounded build history
+committed to the source repo), so a promote always targets the artifact the
+source commit recorded.
+"""
+
+from __future__ import annotations
+
+import enum
+from dataclasses import dataclass
+from pathlib import Path
+
+from repro_lambda.build import _bucket_for
+from repro_lambda.catalog import load_catalog
+from repro_lambda.manifest import LambdaSpec
+from repro_lambda.s3_uploader import S3Uploader, UploadResult
+
+
+class PromoteResult(enum.Enum):
+    PROMOTED = "promoted"
+    ALREADY_PRESENT = "already_present"
+    DRY_RUN = "dry_run"
+
+
+@dataclass
+class PromoteOutcome:
+    outcome: PromoteResult
+    sha256: str
+    bucket_key: str
+    src_bucket: str
+    dst_bucket: str
+
+
+class MissingSourceArtifactError(RuntimeError):
+    """The dev artifact to promote does not exist (build dev first)."""
+
+
+class UnknownShaError(RuntimeError):
+    """builds/catalog.json has no current sha for the requested lambda."""
+
+
+def sha_from_catalog(catalog_path: Path, logical_name: str) -> str:
+    """Return the current sha recorded for `logical_name`, or raise UnknownShaError."""
+    catalog = load_catalog(catalog_path)
+    lc = catalog.lambdas.get(logical_name)
+    if lc is None or not lc.current:
+        raise UnknownShaError(
+            f"no catalog entry for {logical_name!r} in {catalog_path}; "
+            f"build the dev artifact before promoting"
+        )
+    return lc.current
+
+
+def promote_one(
+    *,
+    spec: LambdaSpec,
+    sha: str,
+    dev_bucket: str,
+    prod_bucket: str,
+    uploader: S3Uploader | None = None,
+    dry_run: bool = False,
+) -> PromoteOutcome:
+    """Copy one lambda's `<sha>.zip` from the dev bucket to the prod bucket.
+
+    Lambda@Edge specs (region us-east-1) resolve to the `-us-east-1` bucket
+    variant on both sides, matching the build-side key scheme exactly.
+    """
+    src_bucket = _bucket_for(spec, dev_bucket)
+    dst_bucket = _bucket_for(spec, prod_bucket)
+    key = f"lambdas/{spec.logical_name}/{sha}.zip"
+
+    if dry_run:
+        return PromoteOutcome(PromoteResult.DRY_RUN, sha, key, src_bucket, dst_bucket)
+
+    up = uploader or S3Uploader(region=spec.region)
+    if not up.exists(bucket=src_bucket, key=key):
+        raise MissingSourceArtifactError(
+            f"{spec.logical_name}: source artifact missing at s3://{src_bucket}/{key}"
+        )
+
+    result = up.copy(src_bucket=src_bucket, dst_bucket=dst_bucket, key=key)
+    outcome = (
+        PromoteResult.PROMOTED if result is UploadResult.UPLOADED else PromoteResult.ALREADY_PRESENT
+    )
+    return PromoteOutcome(outcome, sha, key, src_bucket, dst_bucket)

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/src/repro_lambda/s3_uploader.py

@@ -28,6 +28,25 @@ class S3Uploader:
                 return False
             raise
 
+    def copy(self, *, src_bucket: str, dst_bucket: str, key: str) -> UploadResult:
+        """
+        Server-side copy of the same key from src_bucket to dst_bucket.
+
+        Idempotent via a destination existence pre-check; safe because artifact
+        buckets are content-addressed and immutable (the same key never changes
+        bytes). Returns ALREADY_PRESENT if the destination key already exists,
+        UPLOADED otherwise.
+        """
+        if self.exists(bucket=dst_bucket, key=key):
+            return UploadResult.ALREADY_PRESENT
+        self._client.copy_object(
+            Bucket=dst_bucket,
+            Key=key,
+            CopySource={"Bucket": src_bucket, "Key": key},
+            ServerSideEncryption="AES256",
+        )
+        return UploadResult.UPLOADED
+
     def upload(self, *, bucket: str, key: str, body_path: Path) -> UploadResult:
         """
         PutObject with If-None-Match=*.

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/src/repro_lambda/source_stager.py

@@ -7,7 +7,7 @@ import shutil
 import subprocess
 from pathlib import Path
 
-from repro_lambda.manifest import BuilderConfig
+from repro_lambda.manifest import BuilderConfig, ExtraFile
 
 
 def _git_ls_files(repo_root: Path, source_dir: str) -> list[str]:
@@ -37,6 +37,29 @@ def _filter_paths(paths: list[str], include: list[str], exclude: list[str]) -> l
     return kept
 
 
+def _stage_payload_files(
+    repo_root: Path, target_root: Path, payload_files: list[ExtraFile]
+) -> None:
+    """Stage prebuilt files/dirs (CI-materialized, not git-tracked) into the package.
+
+    Each lands at target_root/<dest> (the staged source tree, so it ships in the zip
+    and folds into the content hash). Files get the +x bit when `executable`; dirs
+    are copied recursively with source perms preserved.
+    """
+    for ef in payload_files:
+        src = repo_root / ef.src
+        dest = target_root / ef.dest
+        if src.is_dir():
+            shutil.copytree(src, dest, dirs_exist_ok=True)
+        elif src.is_file():
+            dest.parent.mkdir(parents=True, exist_ok=True)
+            shutil.copy2(src, dest)
+            if ef.executable:
+                dest.chmod(dest.stat().st_mode | 0o111)
+        else:
+            raise FileNotFoundError(f"extra_files src not found: {src} (declared src={ef.src!r})")
+
+
 def stage_source(
     repo_root: Path,
     source_dir: str,
@@ -44,13 +67,16 @@ def stage_source(
     stage_dir: Path,
     *,
     extra_files: list[tuple[Path, str]] | None = None,
+    payload_files: list[ExtraFile] | None = None,
 ) -> list[str]:
     """
     Copy git-tracked files under source_dir into stage_dir/source/, preserving perms.
 
-    Optionally copy additional files (outside source_dir) directly into stage_dir.
-    Each entry in extra_files is (src_path, rel_name) where rel_name is the
-    destination path relative to stage_dir (not stage_dir/source/).
+    `extra_files` are build inputs (e.g. the requirements lock) copied to
+    stage_dir/<rel_name> - consumed by the container, not shipped in the zip.
+
+    `payload_files` are prebuilt artifacts copied into stage_dir/source/<dest> so
+    they ship in the zip and fold into the content hash.
 
     Returns the sorted list of relative paths (from repo_root) that were staged.
     """
@@ -71,6 +97,8 @@ def stage_source(
         if src_mode & 0o111:
             dst.chmod(dst.stat().st_mode | 0o111)
 
+    _stage_payload_files(repo_root, target_root, payload_files or [])
+
     for src_path, rel_name in extra_files or []:
         if not src_path.is_file():
             raise FileNotFoundError(f"extra_files source not found: {src_path}")

repro_lambda-0.4.0/tests/test_extra_files.py

@@ -0,0 +1,222 @@
+"""extra_files: prebuilt file/dir bundling into the content-addressed package."""
+
+import subprocess
+from pathlib import Path
+
+import pytest
+
+from repro_lambda.build import compute_sha_for
+from repro_lambda.hasher import compute_content_hash
+from repro_lambda.manifest import BuilderConfig, ExtraFile, LambdaSpec, load_manifest
+from repro_lambda.source_stager import stage_source
+
+PINNED_IMAGE = "public.ecr.aws/lambda/python:3.13@sha256:" + "0" * 64
+
+
+def _spec(**kw) -> LambdaSpec:
+    base = dict(
+        logical_name="app",
+        source_dir="handler",
+        requirements_lock="handler/requirements.${arch}.lock",
+        runtime="python3.13",
+        arch="arm64",
+        handler="app.lambda_handler",
+    )
+    base.update(kw)
+    return LambdaSpec(**base)
+
+
+# --- manifest parse / validate --------------------------------------------
+
+
+def _write_manifest(tmp_path: Path, extra_files_toml: str) -> Path:
+    p = tmp_path / "lambdas.toml"
+    p.write_text(
+        "[[lambda]]\n"
+        'logical_name      = "app"\n'
+        'source_dir        = "handler"\n'
+        'requirements_lock = "handler/requirements.${arch}.lock"\n'
+        'runtime           = "python3.13"\n'
+        'arch              = "arm64"\n'
+        'handler           = "app.lambda_handler"\n'
+        f"{extra_files_toml}"
+        "\n[builder]\n"
+        f'base_image_python = "{PINNED_IMAGE}"\n'
+    )
+    return p
+
+
+def test_manifest_parses_extra_files(tmp_path: Path):
+    manifest = _write_manifest(
+        tmp_path,
+        '[[lambda.extra_files]]\nsrc = "builds/bin/terraform"\n'
+        'dest = "bin/terraform"\nexecutable = true\n'
+        '[[lambda.extra_files]]\nsrc = "builds/pofix"\ndest = "pofix"\n',
+    )
+    spec = load_manifest(manifest).lambdas[0]
+    assert spec.extra_files == (
+        ExtraFile(src="builds/bin/terraform", dest="bin/terraform", executable=True),
+        ExtraFile(src="builds/pofix", dest="pofix", executable=False),
+    )
+
+
+def test_manifest_extra_files_defaults_empty(tmp_path: Path):
+    manifest = _write_manifest(tmp_path, "")
+    assert load_manifest(manifest).lambdas[0].extra_files == ()
+
+
+def test_manifest_rejects_extra_files_without_dest(tmp_path: Path):
+    manifest = _write_manifest(tmp_path, '[[lambda.extra_files]]\nsrc = "builds/bin/terraform"\n')
+    with pytest.raises(ValueError, match="non-empty 'src' and 'dest'"):
+        load_manifest(manifest)
+
+
+def test_manifest_rejects_extra_files_parent_traversal(tmp_path: Path):
+    manifest = _write_manifest(
+        tmp_path,
+        '[[lambda.extra_files]]\nsrc = "builds/bin/x"\ndest = "../escape"\n',
+    )
+    with pytest.raises(ValueError, match="without '..'"):
+        load_manifest(manifest)
+
+
+def test_manifest_rejects_extra_files_absolute_src(tmp_path: Path):
+    manifest = _write_manifest(
+        tmp_path,
+        '[[lambda.extra_files]]\nsrc = "/etc/passwd"\ndest = "bin/x"\n',
+    )
+    with pytest.raises(ValueError, match="relative path"):
+        load_manifest(manifest)
+
+
+# --- stager ----------------------------------------------------------------
+
+
+def _git_repo_with_source(tmp_path: Path) -> Path:
+    repo = tmp_path / "repo"
+    (repo / "handler").mkdir(parents=True)
+    (repo / "handler" / "app.py").write_text("def lambda_handler(e, c): return 200\n")
+    subprocess.run(["git", "init", "-q"], cwd=repo, check=True)
+    subprocess.run(["git", "config", "user.email", "t@t"], cwd=repo, check=True)
+    subprocess.run(["git", "config", "user.name", "t"], cwd=repo, check=True)
+    subprocess.run(["git", "add", "."], cwd=repo, check=True)
+    subprocess.run(["git", "commit", "-qm", "init"], cwd=repo, check=True)
+    return repo
+
+
+def test_stage_payload_file_gets_exec_bit(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    (repo / "builds" / "bin").mkdir(parents=True)
+    binary = repo / "builds" / "bin" / "terraform"
+    binary.write_bytes(b"\x7fELF fake binary")
+
+    stage = tmp_path / "stage"
+    stage_source(
+        repo_root=repo,
+        source_dir="handler",
+        builder=BuilderConfig(base_image_python=PINNED_IMAGE),
+        stage_dir=stage,
+        payload_files=[
+            ExtraFile(src="builds/bin/terraform", dest="bin/terraform", executable=True)
+        ],
+    )
+    staged = stage / "source" / "bin" / "terraform"
+    assert staged.read_bytes() == b"\x7fELF fake binary"
+    assert staged.stat().st_mode & 0o111, "executable bit not set"
+
+
+def test_stage_payload_dir_recursive(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    tree = repo / "builds" / "pofix"
+    (tree / "data").mkdir(parents=True)
+    (tree / ".tool-versions").write_text("terraform 1.9.0\n")
+    (tree / "data" / "x.json").write_text("{}\n")
+
+    stage = tmp_path / "stage"
+    stage_source(
+        repo_root=repo,
+        source_dir="handler",
+        builder=BuilderConfig(base_image_python=PINNED_IMAGE),
+        stage_dir=stage,
+        payload_files=[ExtraFile(src="builds/pofix", dest="pofix")],
+    )
+    assert (stage / "source" / "pofix" / ".tool-versions").read_text() == "terraform 1.9.0\n"
+    assert (stage / "source" / "pofix" / "data" / "x.json").exists()
+
+
+def test_stage_payload_missing_src_raises(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    stage = tmp_path / "stage"
+    with pytest.raises(FileNotFoundError, match="extra_files src not found"):
+        stage_source(
+            repo_root=repo,
+            source_dir="handler",
+            builder=BuilderConfig(base_image_python=PINNED_IMAGE),
+            stage_dir=stage,
+            payload_files=[ExtraFile(src="builds/missing", dest="bin/x")],
+        )
+
+
+# --- hasher ----------------------------------------------------------------
+
+
+def _staged_tree(tmp_path: Path) -> tuple[Path, Path]:
+    root = tmp_path / "source"
+    (root / "bin").mkdir(parents=True)
+    (root / "app.py").write_text("x = 1\n")
+    (root / "bin" / "terraform").write_bytes(b"BIN")
+    lock = tmp_path / "requirements.lock"
+    lock.write_text("")
+    return root, lock
+
+
+def _hash(root: Path, lock: Path, *, payload_exec=None) -> str:
+    return compute_content_hash(
+        staged_source_root=root,
+        requirements_lock=lock,
+        spec=_spec(),
+        base_image=PINNED_IMAGE,
+        builder_version="0.3.0",
+        payload_exec=payload_exec,
+    )
+
+
+def test_hash_none_equals_empty_payload_exec(tmp_path: Path):
+    root, lock = _staged_tree(tmp_path)
+    assert _hash(root, lock, payload_exec=None) == _hash(root, lock, payload_exec=[])
+
+
+def test_hash_changes_when_executable_flag_flips(tmp_path: Path):
+    root, lock = _staged_tree(tmp_path)
+    off = _hash(root, lock, payload_exec=[("bin/terraform", False)])
+    on = _hash(root, lock, payload_exec=[("bin/terraform", True)])
+    assert off != on
+
+
+def test_hash_omits_payload_section_when_empty(tmp_path: Path):
+    # Byte-identical to a spec with no extra_files at all (regression guard for
+    # the 3 existing lambdas, whose hashes must not move).
+    root, lock = _staged_tree(tmp_path)
+    assert _hash(root, lock) == _hash(root, lock, payload_exec=[])
+
+
+# --- build.compute_sha_for integration -------------------------------------
+
+
+def test_compute_sha_for_reflects_payload_binary(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    (repo / "handler" / "requirements.arm64.lock").write_text("")
+    subprocess.run(["git", "add", "."], cwd=repo, check=True)
+    subprocess.run(["git", "commit", "-qm", "lock"], cwd=repo, check=True)
+    (repo / "builds" / "bin").mkdir(parents=True)
+    binary = repo / "builds" / "bin" / "terraform"
+
+    builder = BuilderConfig(base_image_python=PINNED_IMAGE)
+    spec = _spec(extra_files=(ExtraFile(src="builds/bin/terraform", dest="bin/terraform"),))
+
+    binary.write_bytes(b"VERSION-A")
+    sha_a = compute_sha_for(repo_root=repo, spec=spec, builder=builder)
+    binary.write_bytes(b"VERSION-B")
+    sha_b = compute_sha_for(repo_root=repo, spec=spec, builder=builder)
+
+    assert sha_a != sha_b, "content hash must track the bundled binary's bytes"

repro_lambda-0.4.0/tests/test_promote.py

@@ -0,0 +1,228 @@
+"""Promote (dev -> prod copy by content hash) unit + CLI coverage."""
+
+from pathlib import Path
+
+import boto3
+import pytest
+from moto import mock_aws
+from typer.testing import CliRunner
+
+from repro_lambda.cli import app
+from repro_lambda.manifest import LambdaSpec
+from repro_lambda.promote import (
+    MissingSourceArtifactError,
+    PromoteResult,
+    UnknownShaError,
+    promote_one,
+    sha_from_catalog,
+)
+from repro_lambda.s3_uploader import S3Uploader, UploadResult
+
+runner = CliRunner()
+
+DEV = "dev-test-lambda-artifacts"
+PROD = "prod-test-lambda-artifacts"
+
+
+def _make_bucket(client, name: str, region: str) -> None:
+    if region == "us-east-1":
+        client.create_bucket(Bucket=name)
+    else:
+        client.create_bucket(Bucket=name, CreateBucketConfiguration={"LocationConstraint": region})
+
+
+def _spec(name: str, *, region: str = "eu-west-1", at_edge: bool = False) -> LambdaSpec:
+    return LambdaSpec(
+        logical_name=name,
+        source_dir="handler",
+        requirements_lock="handler/requirements.${arch}.lock",
+        runtime="python3.13",
+        arch="x86_64" if at_edge else "arm64",
+        handler="app.lambda_handler",
+        region=region,
+        lambda_at_edge=at_edge,
+    )
+
+
+# --- S3Uploader.copy -------------------------------------------------------
+
+
+def test_copy_uploads_then_reports_already_present():
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+        c.put_object(Bucket=DEV, Key="lambdas/app/abc.zip", Body=b"PK\x05\x06" + b"\x00" * 18)
+
+        up = S3Uploader(region="eu-west-1")
+        first = up.copy(src_bucket=DEV, dst_bucket=PROD, key="lambdas/app/abc.zip")
+        second = up.copy(src_bucket=DEV, dst_bucket=PROD, key="lambdas/app/abc.zip")
+
+        assert first == UploadResult.UPLOADED
+        assert second == UploadResult.ALREADY_PRESENT
+        assert up.exists(bucket=PROD, key="lambdas/app/abc.zip")
+
+
+# --- promote_one -----------------------------------------------------------
+
+
+def test_promote_one_copies_regional_lambda():
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+        c.put_object(Bucket=DEV, Key="lambdas/app/sha1.zip", Body=b"z")
+
+        out = promote_one(spec=_spec("app"), sha="sha1", dev_bucket=DEV, prod_bucket=PROD)
+
+        assert out.outcome == PromoteResult.PROMOTED
+        assert out.src_bucket == DEV
+        assert out.dst_bucket == PROD
+        assert out.bucket_key == "lambdas/app/sha1.zip"
+        assert c.head_object(Bucket=PROD, Key="lambdas/app/sha1.zip")
+
+
+def test_promote_one_edge_lambda_uses_us_east_1_bucket_variant():
+    with mock_aws():
+        eu = boto3.client("s3", region_name="eu-west-1")
+        us = boto3.client("s3", region_name="us-east-1")
+        _make_bucket(eu, DEV, "eu-west-1")
+        _make_bucket(eu, PROD, "eu-west-1")
+        _make_bucket(us, f"{DEV}-us-east-1", "us-east-1")
+        _make_bucket(us, f"{PROD}-us-east-1", "us-east-1")
+        us.put_object(Bucket=f"{DEV}-us-east-1", Key="lambdas/edge/e1.zip", Body=b"z")
+
+        out = promote_one(
+            spec=_spec("edge", region="us-east-1", at_edge=True),
+            sha="e1",
+            dev_bucket=DEV,
+            prod_bucket=PROD,
+        )
+
+        assert out.src_bucket == f"{DEV}-us-east-1"
+        assert out.dst_bucket == f"{PROD}-us-east-1"
+        assert us.head_object(Bucket=f"{PROD}-us-east-1", Key="lambdas/edge/e1.zip")
+
+
+def test_promote_one_missing_source_raises():
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+
+        with pytest.raises(MissingSourceArtifactError):
+            promote_one(spec=_spec("app"), sha="missing", dev_bucket=DEV, prod_bucket=PROD)
+
+
+def test_promote_one_dry_run_touches_no_s3():
+    out = promote_one(spec=_spec("app"), sha="sha1", dev_bucket=DEV, prod_bucket=PROD, dry_run=True)
+    assert out.outcome == PromoteResult.DRY_RUN
+    assert out.bucket_key == "lambdas/app/sha1.zip"
+
+
+# --- sha_from_catalog ------------------------------------------------------
+
+
+def test_sha_from_catalog_reads_current(tmp_path: Path):
+    catalog = tmp_path / "catalog.json"
+    catalog.write_text(
+        '{"schema_version": 1, "lambdas": {"app": {"current": "deadbeef", "history": []}}}\n'
+    )
+    assert sha_from_catalog(catalog, "app") == "deadbeef"
+
+
+def test_sha_from_catalog_unknown_lambda_raises(tmp_path: Path):
+    catalog = tmp_path / "catalog.json"
+    catalog.write_text('{"schema_version": 1, "lambdas": {}}\n')
+    with pytest.raises(UnknownShaError):
+        sha_from_catalog(catalog, "app")
+
+
+# --- CLI -------------------------------------------------------------------
+
+
+def _consumer(tmp_path: Path) -> Path:
+    repo = tmp_path / "consumer"
+    (repo / "handler").mkdir(parents=True)
+    (repo / "lambdas.toml").write_text(
+        "[[lambda]]\n"
+        'logical_name      = "app"\n'
+        'source_dir        = "handler"\n'
+        'requirements_lock = "handler/requirements.${arch}.lock"\n'
+        'runtime           = "python3.13"\n'
+        'arch              = "arm64"\n'
+        'handler           = "app.lambda_handler"\n'
+        'region            = "eu-west-1"\n'
+        "\n"
+        "[builder]\n"
+        'base_image_python = "public.ecr.aws/lambda/python:3.13@sha256:' + "0" * 64 + '"\n'
+    )
+    (repo / "builds").mkdir()
+    (repo / "builds" / "catalog.json").write_text(
+        '{"schema_version": 1, "lambdas": {"app": {"current": "cafef00d", "history": []}}}\n'
+    )
+    return repo
+
+
+def test_cli_promote_copies_from_catalog(tmp_path: Path):
+    repo = _consumer(tmp_path)
+    with mock_aws():
+        c = boto3.client("s3", region_name="eu-west-1")
+        _make_bucket(c, DEV, "eu-west-1")
+        _make_bucket(c, PROD, "eu-west-1")
+        c.put_object(Bucket=DEV, Key="lambdas/app/cafef00d.zip", Body=b"z")
+
+        result = runner.invoke(
+            app,
+            [
+                "promote",
+                "app",
+                "--manifest",
+                str(repo / "lambdas.toml"),
+                "--dev-bucket",
+                DEV,
+                "--prod-bucket",
+                PROD,
+            ],
+        )
+        assert result.exit_code == 0, result.stdout
+        assert "promoted" in result.stdout
+        assert c.head_object(Bucket=PROD, Key="lambdas/app/cafef00d.zip")
+
+
+def test_cli_promote_dry_run_touches_no_s3(tmp_path: Path):
+    repo = _consumer(tmp_path)
+    result = runner.invoke(
+        app,
+        [
+            "promote",
+            "app",
+            "--manifest",
+            str(repo / "lambdas.toml"),
+            "--dev-bucket",
+            DEV,
+            "--prod-bucket",
+            PROD,
+            "--dry-run",
+        ],
+    )
+    assert result.exit_code == 0, result.stdout
+    assert "dry_run" in result.stdout
+
+
+def test_cli_promote_unknown_target_exits_2(tmp_path: Path):
+    repo = _consumer(tmp_path)
+    result = runner.invoke(
+        app,
+        [
+            "promote",
+            "nope",
+            "--manifest",
+            str(repo / "lambdas.toml"),
+            "--dev-bucket",
+            DEV,
+            "--prod-bucket",
+            PROD,
+        ],
+    )
+    assert result.exit_code == 2

{repro_lambda-0.2.4 → repro_lambda-0.4.0}/uv.lock

@@ -646,7 +646,7 @@ wheels = [
 
 [[package]]
 name = "repro-lambda"
-version = "0.2.4"
+version = "0.4.0"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },