fix(release): keep dist/ pure for twine; bundle moves to bundle/

imanimanyara · imanimanyara · commit 4896512dbd20 · 2026-05-16T05:01:11.000-04:00
The v0.3.1 release run failed at the PyPI upload step because
twine rejected dist/SHA256SUMS as an invalid distribution. The
underlying issue: pypa/gh-action-pypi-publish uploads every file
in dist/ via `twine upload dist/*`, but our bundle script wrote
installer.py + .sha256 + .buildinfo.json + SHA256SUMS into dist/
alongside the wheel + sdist. All non-{whl,tar.gz} entries trip
twine's distribution validator.

Fix: dist/ stays strict (only .whl + .tar.gz). The single-file
installer.py bundle + its sidecars + SHA256SUMS move to a new
bundle/ dir. Order also reshuffled so SHA256SUMS is computed AFTER
PyPI upload — keeps dist/ pristine through the twine call.

Also adds an explicit `rm -rf dist/__pycache__` after `python -m
build` as a belt-and-suspenders measure (some build backends leave
caches behind).

The GitHub release attachments still reference the same five
files; only their source dirs change.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,25 +26,29 @@ jobs:
         run: |
           python -m pip install --upgrade pip build
           python -m build
+          # Remove dist/__pycache__/ if `python -m build` left one;
+          # twine treats every file in dist/ as a distribution and
+          # chokes on non-wheel/sdist entries.
+          rm -rf dist/__pycache__
 
-      - name: Build single-file bundle
-        run: python scripts/bundle.py --check
+      - name: Upload to PyPI (only whl + sdist)
+        uses: pypa/gh-action-pypi-publish@release/v1
+        # At this point dist/ contains exactly *.whl + *.tar.gz. The
+        # bundle + checksum file are written to bundle/ in the next
+        # step so twine doesn't try to upload them.
 
-      - name: Compute checksums
+      - name: Build single-file bundle (into separate `bundle/` dir)
         run: |
-          # `python -m build` leaves dist/__pycache__/ which trips
-          # `shasum dist/*`. Hash only release artifacts.
-          (cd dist && shasum -a 256 *.whl *.tar.gz installer.py > SHA256SUMS)
-
-      - name: Upload to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+          python scripts/bundle.py --output bundle/installer.py --check
+          shasum -a 256 dist/*.whl dist/*.tar.gz bundle/installer.py \
+            > bundle/SHA256SUMS
 
       - name: Attach bundle + checksums to GitHub Release
         uses: softprops/action-gh-release@v2
         with:
           files: |
-            dist/installer.py
-            dist/installer.py.sha256
+            bundle/installer.py
+            bundle/installer.py.sha256
+            bundle/SHA256SUMS
             dist/get_installer-*.whl
             dist/get_installer-*.tar.gz
-            dist/SHA256SUMS
