repro-lambda 0.3.0__tar.gz → 0.4.0__tar.gz

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.4.0 - 2026-06-21
+
+### Added
+- `extra_files` manifest field: bundle prebuilt files or directories into a lambda package alongside its source. Each `[[lambda.extra_files]]` entry has `src` (repo-root-relative, where CI materialized it - e.g. a digest-pinned binary or an extracted release tree), `dest` (package-root-relative), and an optional `executable` flag (sets +x on a file; ignored for directories, which keep source perms). The bytes fold into the content hash via the staged source tree, and the executable bit folds in separately, so flipping it changes the artifact hash even when bytes are identical. This lets a lambda ship vendored CLIs or release trees the consumer's CI downloads and verifies, while the tool itself stays free of any network/tool-download logic. Paths are validated as relative and `..`-free. Specs without `extra_files` hash byte-identically to before.
+
 ## v0.3.0 - 2026-06-21
 
 ### Added

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: repro-lambda
-Version: 0.3.0
+Version: 0.4.0
 Summary: Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf.
 Project-URL: Homepage, https://github.com/antonbabenko/repro-lambda
 Project-URL: Repository, https://github.com/antonbabenko/repro-lambda

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "repro-lambda"
-version = "0.3.0"
+version = "0.4.0"
 description = "Build reproducible AWS Lambda packages outside Terraform, optimized for terraform-aws-lambda by serverless.tf."
 readme = "README.md"
 requires-python = ">=3.11"

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/src/repro_lambda/__init__.py

@@ -1,3 +1,3 @@
 """repro-lambda — reproducible AWS Lambda packaging outside Terraform."""
 
-__version__ = "0.3.0"
+__version__ = "0.4.0"

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/src/repro_lambda/build.py

@@ -75,6 +75,7 @@ def compute_sha_for(
             builder=builder,
             stage_dir=stage_dir,
             extra_files=extras,
+            payload_files=list(spec.extra_files),
         )
         return compute_content_hash(
             staged_source_root=stage_dir / "source",
@@ -83,6 +84,7 @@ def compute_sha_for(
             base_image=primary_base_image,
             builder_version=__version__,
             extra_files=extras,
+            payload_exec=[(ef.dest, ef.executable) for ef in spec.extra_files],
         )
 
 
@@ -113,6 +115,7 @@ def build_one(
             builder=builder,
             stage_dir=stage_dir,
             extra_files=extras,
+            payload_files=list(spec.extra_files),
         )
 
         sha = compute_content_hash(
@@ -122,6 +125,7 @@ def build_one(
             base_image=primary_base_image,
             builder_version=__version__,
             extra_files=extras,
+            payload_exec=[(ef.dest, ef.executable) for ef in spec.extra_files],
         )
         bucket_key = f"lambdas/{spec.logical_name}/{sha}.zip"
 

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/src/repro_lambda/hasher.py

@@ -24,6 +24,7 @@ def compute_content_hash(
     builder_version: str,
     *,
     extra_files: list[tuple[Path, str]] | None = None,
+    payload_exec: list[tuple[str, bool]] | None = None,
 ) -> str:
     """
     sha256 over: sorted (relative-path, sha256(content)) tuples for the staged tree
@@ -72,4 +73,13 @@ def compute_content_hash(
             h.update(_sha256_file(src).encode("ascii"))
             h.update(b"\n")
 
+    # Payload extra_files (prebuilt binaries/trees) are already hashed by content
+    # via the staged source tree above; fold in their executable bit here so that
+    # flipping +x changes the artifact hash even when bytes are unchanged. Omitted
+    # entirely when empty, preserving byte-identical hashes for specs with none.
+    if payload_exec:
+        h.update(b"---payload-exec---\n")
+        for dest, executable in sorted(payload_exec):
+            h.update(f"{dest}={int(executable)}\n".encode())
+
     return h.hexdigest()

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/src/repro_lambda/manifest.py

@@ -17,6 +17,24 @@ SUPPORTED_ARCHS: tuple[str, ...] = ("arm64", "x86_64")
 SUPPORTED_PACKAGE_MANAGERS = {"pip", "npm"}
 
 
+@dataclass(frozen=True)
+class ExtraFile:
+    """A prebuilt file or directory staged into the package alongside the source.
+
+    `src` is relative to the repo root (where the caller's CI materialized it, e.g.
+    a downloaded + digest-pinned binary or an extracted release tree). `dest` is
+    where it lands in the package (relative to the package root). For a file,
+    `executable` sets the +x bit; for a directory, source perms are preserved and
+    `executable` is ignored. The bytes fold into the content hash via the staged
+    source tree; the executable flag folds in separately, so flipping it changes
+    the artifact hash even when bytes are unchanged.
+    """
+
+    src: str
+    dest: str
+    executable: bool = False
+
+
 @dataclass(frozen=True)
 class LambdaSpec:
     logical_name: str
@@ -30,6 +48,7 @@ class LambdaSpec:
     lambda_at_edge: bool = False
     hash_extra: str = ""
     package_json: str = ""
+    extra_files: tuple[ExtraFile, ...] = ()
 
     @property
     def resolved_requirements_lock(self) -> str:
@@ -63,6 +82,26 @@ class Manifest:
     builder: BuilderConfig
 
 
+def _parse_extra_files(path: Path, entry: dict) -> tuple[ExtraFile, ...]:
+    """Parse + validate a lambda's optional [[lambda.extra_files]] entries."""
+    parsed: list[ExtraFile] = []
+    for ef in entry.get("extra_files", []):
+        src = ef.get("src", "")
+        dest = ef.get("dest", "")
+        if not src or not dest:
+            raise ValueError(
+                f"{path}: extra_files entry requires non-empty 'src' and 'dest' (got {ef!r})"
+            )
+        for field_name, value in (("src", src), ("dest", dest)):
+            if value.startswith("/") or ".." in Path(value).parts:
+                raise ValueError(
+                    f"{path}: extra_files {field_name}={value!r} must be a relative path "
+                    f"without '..' (src is repo-root-relative, dest is package-root-relative)"
+                )
+        parsed.append(ExtraFile(src=src, dest=dest, executable=bool(ef.get("executable", False))))
+    return tuple(parsed)
+
+
 def load_manifest(path: Path) -> Manifest:
     """Parse lambdas.toml and validate semantic invariants."""
     with path.open("rb") as f:
@@ -119,6 +158,8 @@ def load_manifest(path: Path) -> Manifest:
                 f"point it at the lambda's package.json relative to repo root"
             )
 
+        extra_files = _parse_extra_files(path, entry)
+
         lambdas.append(
             LambdaSpec(
                 logical_name=entry["logical_name"],
@@ -132,6 +173,7 @@ def load_manifest(path: Path) -> Manifest:
                 package_manager=pkg,
                 lambda_at_edge=bool(entry.get("lambda_at_edge", False)),
                 hash_extra=entry.get("hash_extra", ""),
+                extra_files=extra_files,
             )
         )
 

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/src/repro_lambda/source_stager.py

@@ -7,7 +7,7 @@ import shutil
 import subprocess
 from pathlib import Path
 
-from repro_lambda.manifest import BuilderConfig
+from repro_lambda.manifest import BuilderConfig, ExtraFile
 
 
 def _git_ls_files(repo_root: Path, source_dir: str) -> list[str]:
@@ -37,6 +37,29 @@ def _filter_paths(paths: list[str], include: list[str], exclude: list[str]) -> l
     return kept
 
 
+def _stage_payload_files(
+    repo_root: Path, target_root: Path, payload_files: list[ExtraFile]
+) -> None:
+    """Stage prebuilt files/dirs (CI-materialized, not git-tracked) into the package.
+
+    Each lands at target_root/<dest> (the staged source tree, so it ships in the zip
+    and folds into the content hash). Files get the +x bit when `executable`; dirs
+    are copied recursively with source perms preserved.
+    """
+    for ef in payload_files:
+        src = repo_root / ef.src
+        dest = target_root / ef.dest
+        if src.is_dir():
+            shutil.copytree(src, dest, dirs_exist_ok=True)
+        elif src.is_file():
+            dest.parent.mkdir(parents=True, exist_ok=True)
+            shutil.copy2(src, dest)
+            if ef.executable:
+                dest.chmod(dest.stat().st_mode | 0o111)
+        else:
+            raise FileNotFoundError(f"extra_files src not found: {src} (declared src={ef.src!r})")
+
+
 def stage_source(
     repo_root: Path,
     source_dir: str,
@@ -44,13 +67,16 @@ def stage_source(
     stage_dir: Path,
     *,
     extra_files: list[tuple[Path, str]] | None = None,
+    payload_files: list[ExtraFile] | None = None,
 ) -> list[str]:
     """
     Copy git-tracked files under source_dir into stage_dir/source/, preserving perms.
 
-    Optionally copy additional files (outside source_dir) directly into stage_dir.
-    Each entry in extra_files is (src_path, rel_name) where rel_name is the
-    destination path relative to stage_dir (not stage_dir/source/).
+    `extra_files` are build inputs (e.g. the requirements lock) copied to
+    stage_dir/<rel_name> - consumed by the container, not shipped in the zip.
+
+    `payload_files` are prebuilt artifacts copied into stage_dir/source/<dest> so
+    they ship in the zip and fold into the content hash.
 
     Returns the sorted list of relative paths (from repo_root) that were staged.
     """
@@ -71,6 +97,8 @@ def stage_source(
         if src_mode & 0o111:
             dst.chmod(dst.stat().st_mode | 0o111)
 
+    _stage_payload_files(repo_root, target_root, payload_files or [])
+
     for src_path, rel_name in extra_files or []:
         if not src_path.is_file():
             raise FileNotFoundError(f"extra_files source not found: {src_path}")

repro_lambda-0.4.0/tests/test_extra_files.py

@@ -0,0 +1,222 @@
+"""extra_files: prebuilt file/dir bundling into the content-addressed package."""
+
+import subprocess
+from pathlib import Path
+
+import pytest
+
+from repro_lambda.build import compute_sha_for
+from repro_lambda.hasher import compute_content_hash
+from repro_lambda.manifest import BuilderConfig, ExtraFile, LambdaSpec, load_manifest
+from repro_lambda.source_stager import stage_source
+
+PINNED_IMAGE = "public.ecr.aws/lambda/python:3.13@sha256:" + "0" * 64
+
+
+def _spec(**kw) -> LambdaSpec:
+    base = dict(
+        logical_name="app",
+        source_dir="handler",
+        requirements_lock="handler/requirements.${arch}.lock",
+        runtime="python3.13",
+        arch="arm64",
+        handler="app.lambda_handler",
+    )
+    base.update(kw)
+    return LambdaSpec(**base)
+
+
+# --- manifest parse / validate --------------------------------------------
+
+
+def _write_manifest(tmp_path: Path, extra_files_toml: str) -> Path:
+    p = tmp_path / "lambdas.toml"
+    p.write_text(
+        "[[lambda]]\n"
+        'logical_name      = "app"\n'
+        'source_dir        = "handler"\n'
+        'requirements_lock = "handler/requirements.${arch}.lock"\n'
+        'runtime           = "python3.13"\n'
+        'arch              = "arm64"\n'
+        'handler           = "app.lambda_handler"\n'
+        f"{extra_files_toml}"
+        "\n[builder]\n"
+        f'base_image_python = "{PINNED_IMAGE}"\n'
+    )
+    return p
+
+
+def test_manifest_parses_extra_files(tmp_path: Path):
+    manifest = _write_manifest(
+        tmp_path,
+        '[[lambda.extra_files]]\nsrc = "builds/bin/terraform"\n'
+        'dest = "bin/terraform"\nexecutable = true\n'
+        '[[lambda.extra_files]]\nsrc = "builds/pofix"\ndest = "pofix"\n',
+    )
+    spec = load_manifest(manifest).lambdas[0]
+    assert spec.extra_files == (
+        ExtraFile(src="builds/bin/terraform", dest="bin/terraform", executable=True),
+        ExtraFile(src="builds/pofix", dest="pofix", executable=False),
+    )
+
+
+def test_manifest_extra_files_defaults_empty(tmp_path: Path):
+    manifest = _write_manifest(tmp_path, "")
+    assert load_manifest(manifest).lambdas[0].extra_files == ()
+
+
+def test_manifest_rejects_extra_files_without_dest(tmp_path: Path):
+    manifest = _write_manifest(tmp_path, '[[lambda.extra_files]]\nsrc = "builds/bin/terraform"\n')
+    with pytest.raises(ValueError, match="non-empty 'src' and 'dest'"):
+        load_manifest(manifest)
+
+
+def test_manifest_rejects_extra_files_parent_traversal(tmp_path: Path):
+    manifest = _write_manifest(
+        tmp_path,
+        '[[lambda.extra_files]]\nsrc = "builds/bin/x"\ndest = "../escape"\n',
+    )
+    with pytest.raises(ValueError, match="without '..'"):
+        load_manifest(manifest)
+
+
+def test_manifest_rejects_extra_files_absolute_src(tmp_path: Path):
+    manifest = _write_manifest(
+        tmp_path,
+        '[[lambda.extra_files]]\nsrc = "/etc/passwd"\ndest = "bin/x"\n',
+    )
+    with pytest.raises(ValueError, match="relative path"):
+        load_manifest(manifest)
+
+
+# --- stager ----------------------------------------------------------------
+
+
+def _git_repo_with_source(tmp_path: Path) -> Path:
+    repo = tmp_path / "repo"
+    (repo / "handler").mkdir(parents=True)
+    (repo / "handler" / "app.py").write_text("def lambda_handler(e, c): return 200\n")
+    subprocess.run(["git", "init", "-q"], cwd=repo, check=True)
+    subprocess.run(["git", "config", "user.email", "t@t"], cwd=repo, check=True)
+    subprocess.run(["git", "config", "user.name", "t"], cwd=repo, check=True)
+    subprocess.run(["git", "add", "."], cwd=repo, check=True)
+    subprocess.run(["git", "commit", "-qm", "init"], cwd=repo, check=True)
+    return repo
+
+
+def test_stage_payload_file_gets_exec_bit(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    (repo / "builds" / "bin").mkdir(parents=True)
+    binary = repo / "builds" / "bin" / "terraform"
+    binary.write_bytes(b"\x7fELF fake binary")
+
+    stage = tmp_path / "stage"
+    stage_source(
+        repo_root=repo,
+        source_dir="handler",
+        builder=BuilderConfig(base_image_python=PINNED_IMAGE),
+        stage_dir=stage,
+        payload_files=[
+            ExtraFile(src="builds/bin/terraform", dest="bin/terraform", executable=True)
+        ],
+    )
+    staged = stage / "source" / "bin" / "terraform"
+    assert staged.read_bytes() == b"\x7fELF fake binary"
+    assert staged.stat().st_mode & 0o111, "executable bit not set"
+
+
+def test_stage_payload_dir_recursive(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    tree = repo / "builds" / "pofix"
+    (tree / "data").mkdir(parents=True)
+    (tree / ".tool-versions").write_text("terraform 1.9.0\n")
+    (tree / "data" / "x.json").write_text("{}\n")
+
+    stage = tmp_path / "stage"
+    stage_source(
+        repo_root=repo,
+        source_dir="handler",
+        builder=BuilderConfig(base_image_python=PINNED_IMAGE),
+        stage_dir=stage,
+        payload_files=[ExtraFile(src="builds/pofix", dest="pofix")],
+    )
+    assert (stage / "source" / "pofix" / ".tool-versions").read_text() == "terraform 1.9.0\n"
+    assert (stage / "source" / "pofix" / "data" / "x.json").exists()
+
+
+def test_stage_payload_missing_src_raises(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    stage = tmp_path / "stage"
+    with pytest.raises(FileNotFoundError, match="extra_files src not found"):
+        stage_source(
+            repo_root=repo,
+            source_dir="handler",
+            builder=BuilderConfig(base_image_python=PINNED_IMAGE),
+            stage_dir=stage,
+            payload_files=[ExtraFile(src="builds/missing", dest="bin/x")],
+        )
+
+
+# --- hasher ----------------------------------------------------------------
+
+
+def _staged_tree(tmp_path: Path) -> tuple[Path, Path]:
+    root = tmp_path / "source"
+    (root / "bin").mkdir(parents=True)
+    (root / "app.py").write_text("x = 1\n")
+    (root / "bin" / "terraform").write_bytes(b"BIN")
+    lock = tmp_path / "requirements.lock"
+    lock.write_text("")
+    return root, lock
+
+
+def _hash(root: Path, lock: Path, *, payload_exec=None) -> str:
+    return compute_content_hash(
+        staged_source_root=root,
+        requirements_lock=lock,
+        spec=_spec(),
+        base_image=PINNED_IMAGE,
+        builder_version="0.3.0",
+        payload_exec=payload_exec,
+    )
+
+
+def test_hash_none_equals_empty_payload_exec(tmp_path: Path):
+    root, lock = _staged_tree(tmp_path)
+    assert _hash(root, lock, payload_exec=None) == _hash(root, lock, payload_exec=[])
+
+
+def test_hash_changes_when_executable_flag_flips(tmp_path: Path):
+    root, lock = _staged_tree(tmp_path)
+    off = _hash(root, lock, payload_exec=[("bin/terraform", False)])
+    on = _hash(root, lock, payload_exec=[("bin/terraform", True)])
+    assert off != on
+
+
+def test_hash_omits_payload_section_when_empty(tmp_path: Path):
+    # Byte-identical to a spec with no extra_files at all (regression guard for
+    # the 3 existing lambdas, whose hashes must not move).
+    root, lock = _staged_tree(tmp_path)
+    assert _hash(root, lock) == _hash(root, lock, payload_exec=[])
+
+
+# --- build.compute_sha_for integration -------------------------------------
+
+
+def test_compute_sha_for_reflects_payload_binary(tmp_path: Path):
+    repo = _git_repo_with_source(tmp_path)
+    (repo / "handler" / "requirements.arm64.lock").write_text("")
+    subprocess.run(["git", "add", "."], cwd=repo, check=True)
+    subprocess.run(["git", "commit", "-qm", "lock"], cwd=repo, check=True)
+    (repo / "builds" / "bin").mkdir(parents=True)
+    binary = repo / "builds" / "bin" / "terraform"
+
+    builder = BuilderConfig(base_image_python=PINNED_IMAGE)
+    spec = _spec(extra_files=(ExtraFile(src="builds/bin/terraform", dest="bin/terraform"),))
+
+    binary.write_bytes(b"VERSION-A")
+    sha_a = compute_sha_for(repo_root=repo, spec=spec, builder=builder)
+    binary.write_bytes(b"VERSION-B")
+    sha_b = compute_sha_for(repo_root=repo, spec=spec, builder=builder)
+
+    assert sha_a != sha_b, "content hash must track the bundled binary's bytes"

{repro_lambda-0.3.0 → repro_lambda-0.4.0}/uv.lock

@@ -646,7 +646,7 @@ wheels = [
 
 [[package]]
 name = "repro-lambda"
-version = "0.3.0"
+version = "0.4.0"
 source = { editable = "." }
 dependencies = [
     { name = "boto3" },