verify_release: Build from git sources only

Jussi Kukkonen · Jussi Kukkonen · commit 88a7fa9160d8 · 2022-04-08T10:32:14.000+03:00
Make a new (local) git clone to ensure uncommitted files do not affect
the build.

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@vmware.com&gt;
diff --git a/verify_release b/verify_release
@@ -34,16 +34,23 @@ PYPI_PROJECT = "tuf"
 
 def build(build_dir: str) -> str:
     """Build release locally. Return version as string"""
-    cmd = ["python3", "-m", "build", "--outdir", build_dir]
-    subprocess.run(cmd, stdout=subprocess.DEVNULL, check=True)
-    build_version = None
-    for filename in os.listdir(build_dir):
-        prefix, postfix = f"{PYPI_PROJECT}-", ".tar.gz"
-        if filename.startswith(prefix) and filename.endswith(postfix):
-            build_version = filename[len(prefix) : -len(postfix)]
-    assert build_version
-    return build_version
+    orig_dir = os.path.dirname(os.path.abspath(__file__))
+    build_cmd = ["python3", "-m", "build", "--outdir", build_dir, orig_dir]
 
+    with TemporaryDirectory() as src_dir:
+        # fresh git clone: this prevents uncommitted files from affecting build
+        git_cmd = ["git", "clone", "--quiet", orig_dir, src_dir]
+        subprocess.run(git_cmd, stdout=subprocess.DEVNULL, check=True)
+
+        subprocess.run(build_cmd, stdout=subprocess.DEVNULL, check=True)
+        build_version = None
+        for filename in os.listdir(build_dir):
+            prefix, postfix = f"{PYPI_PROJECT}-", ".tar.gz"
+            if filename.startswith(prefix) and filename.endswith(postfix):
+                build_version = filename[len(prefix) : -len(postfix)]
+
+        assert build_version
+        return build_version
 
 def get_git_version() -> str:
     """Return version string from git describe"""
