🧪 Move SLSA SHA-256 generation into toxfile

Author: webknjaz

.flake8

@@ -103,6 +103,10 @@ per-file-ignores =
   # If other ignores are added for a specific file in the section following this,
   # these will need to be added to that line as well.
 
+  # FIXME: toxfile is currently rather complicated, allowing these temporarily:
+  # WPS202 Found too many module members: 8 > 7
+  toxfile.py: WPS202
+
   # There are multiple `assert`s (S101)
   # and subprocesses (import – S404; call – S603) in tests:
   cheroot/test/test_*.py: S101, S404, S603

.github/workflows/ci-cd.yml

@@ -536,7 +536,8 @@ jobs:
       TOXENV: cleanup-dists,build-dists
 
     outputs:
-      dists-base64-hash: ${{ steps.dist-hashes.outputs.combined-hash }}
+      dists-base64-hash: >-
+        ${{ steps.tox-run.outputs.combined-dists-base64-encoded-sha256-hash }}
 
     steps:
     - name: Switch to using Python 3.11
@@ -652,6 +653,7 @@ jobs:
         echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)"
         >> "${GITHUB_ENV}"
     - name: Build dists
+      id: tox-run
       run: >-
         python -m
         tox
@@ -665,17 +667,6 @@ jobs:
         ls -1
         'dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}'
         'dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}'
-    - name: Generate dist hashes to be used for provenance
-      id: dist-hashes
-      run: >-
-        echo "combined-hash=$(
-        sha256sum
-        '${{ needs.pre-setup.outputs.sdist-artifact-name }}'
-        '${{ needs.pre-setup.outputs.wheel-artifact-name }}'
-        | base64 -w0
-        )"
-        >> "${GITHUB_OUTPUT}"
-      working-directory: dist
     - name: Store the distribution packages
       uses: actions/upload-artifact@v4
       with:

toxfile.py

@@ -2,15 +2,20 @@
 
 import platform
 import ssl
+from base64 import b64encode
+from hashlib import sha256
 from logging import getLogger
-from os import getenv
+from os import environ, getenv
+from pathlib import Path
 
 from tox.execute.request import StdinSource
 from tox.plugin import impl
 from tox.tox_env.api import ToxEnv
 
 
 IS_GITHUB_ACTIONS_RUNTIME = getenv('GITHUB_ACTIONS') == 'true'
+FILE_APPEND_MODE = 'a'
+UNICODE_ENCODING = 'utf-8'
 SYS_PLATFORM = platform.system()
 IS_WINDOWS = SYS_PLATFORM == 'Windows'
 
@@ -82,6 +87,55 @@ def tox_before_run_commands(tox_env: ToxEnv) -> None:  # noqa: WPS213
     )
 
 
+def _log_debug_after_run_commands(msg: str) -> None:
+    logger.debug(
+        '%s%s> %s',  # noqa: WPS323
+        'toxfile',
+        ':tox_after_run_commands',
+        msg,
+    )
+
+
+def _compute_sha256sum(file_path: Path) -> str:
+    return sha256(file_path.read_bytes()).hexdigest()
+
+
+def _produce_sha256sum_line(file_path: Path) -> str:
+    sha256_str = _compute_sha256sum(file_path)
+    return f'{sha256_str !s}  {file_path.name !s}'
+
+
+@impl
+def tox_after_run_commands(tox_env: ToxEnv) -> None:
+    """Compute combined dists hash post build-dists under GHA.
+
+    :param tox_env: A tox environment object.
+    """
+    if tox_env.name == 'build-dists' and IS_GITHUB_ACTIONS_RUNTIME:
+        _log_debug_after_run_commands(
+            'Computing and storing the base64 representation '
+            'of the combined dists SHA-256 hash in GHA...',
+        )
+        dists_dir_path = Path(__file__).parent / 'dist'
+        emulated_sha256sum_output = '\n'.join(
+            _produce_sha256sum_line(artifact_path)
+            for artifact_path in dists_dir_path.glob('*')
+        )
+        emulated_base64_w0_output = b64encode(
+            emulated_sha256sum_output.encode(),
+        ).decode()
+
+        with Path(environ['GITHUB_OUTPUT']).open(
+            encoding=UNICODE_ENCODING,
+            mode=FILE_APPEND_MODE,
+        ) as outputs_file:
+            print(  # noqa: WPS421
+                'combined-dists-base64-encoded-sha256-hash='
+                f'{emulated_base64_w0_output !s}',
+                file=outputs_file,
+            )
+
+
 def tox_append_version_info() -> str:
     """Produce text to be rendered in ``tox --version``.