diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7e6445fb..761e9279 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -223,11 +223,11 @@ jobs: - name: Validate wheels run: | - pip install "twine>=6.1,<6.2" + pip install check-wheel-contents for whl in dist/*.whl; do unzip -qt "$whl" done - twine check dist/* + check-wheel-contents dist/*.whl - name: Check PyPI for existing version id: pypi-check diff --git a/docs/content/docs/more/changelog.mdx b/docs/content/docs/more/changelog.mdx index dbae9878..24e4ff45 100644 --- a/docs/content/docs/more/changelog.mdx +++ b/docs/content/docs/more/changelog.mdx @@ -14,8 +14,10 @@ Patch release: publish workflow hardening. - **PyPI publish pre-check.** Publish job now queries PyPI before uploading, compares SHA-256 hashes per artifact, and skips upload when all wheels are already present. Prevents `400 File already exists` on workflow reruns. -- **PEP 639 compatibility.** Dropped `twine check --strict` which rejected the - `License-File` metadata emitted by maturin 1.13.3. Pinned `twine>=6.1`. +- **PEP 639 compatibility.** Replaced `twine check` with `check-wheel-contents` + for wheel validation. `twine check` broke on PEP 639 `License-File` metadata + emitted by maturin 1.13.3 (`packaging` library incompatibility). Structural + validation via `check-wheel-contents`; PyPI validates metadata on upload. - **Timeout guards.** Added `timeout=30` on PyPI API calls and `--connect-timeout 10 --max-time 30` on verification curl. - **Dashboard artifact download retry.** Extracted dashboard download into a