test: rename artifacts

Author: behnazh

.github/workflows/_build.yaml

@@ -50,10 +50,10 @@ jobs:
       matrix:
         # It is recommended to pin a Runner version specifically:
         # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
-        # os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest, windows-latest]
-        # python: ['3.10', '3.11', '3.12', '3.13']
-        os: [ubuntu-24.04-arm]
-        python: ['3.13']
+        # os: [ubuntu-24.04, ubuntu-24.04-arm, macos-latest, windows-latest]
+        os: [ubuntu-24.04, ubuntu-24.04-arm]
+        python: ['3.10', '3.11', '3.12', '3.13']
+
     steps:
 
     - name: Harden Runner
@@ -101,13 +101,13 @@ jobs:
     # Generate the requirements.txt that contains the hash digests of the dependencies and
     # generate the SBOM using CyclonDX SBOM generator.
     - name: Generate requirements.txt and SBOM
-      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
+      if: matrix.python == env.ARTIFACT_PYTHON
       run: make requirements sbom
 
     # Remove the old requirements.txt file (which includes _all_ packages) and generate a
     # new one for the package and its actual and required dependencies only.
     - name: Prune packages and generate required requirements.txt
-      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
+      if: matrix.python == env.ARTIFACT_PYTHON
       run: |
         rm requirements.txt
         make prune requirements

.github/workflows/pr-change-set.yaml

@@ -21,3 +21,33 @@ jobs:
       contents: read
     with:
       disable-pip-audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}
+
+  test:
+    needs: [build]
+    name: test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+
+    - name: Check out repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        fetch-depth: 0
+
+    - name: Download artifact
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      with:
+        path: dist
+
+    # Verify hashes by first computing hashes for the artifacts and then comparing them
+    # against the hashes computed by the build job.
+    - name: Verify the artifact hash
+      env:
+        ARTIFACT_HASH: ${{ needs.build.outputs.artifacts-sha256 }}
+      run: |
+        set -euo pipefail
+        echo "Hash of package should be $ARTIFACT_HASH."
+        echo "Decoding the artifact hash:"
+        echo "$ARTIFACT_HASH" | base64 --decode
+        echo "$ARTIFACT_HASH" | base64 --decode | sha256sum --strict --check --status || exit 1

Makefile

@@ -5,7 +5,18 @@ SHELL := bash
 
 # Set the package's name and version for use throughout the Makefile.
 PACKAGE_NAME := package
-PACKAGE_VERSION := $(shell python -c $$'try: import $(PACKAGE_NAME); print($(PACKAGE_NAME).__version__);\nexcept: print("unknown");')
+PACKAGE_VERSION := $(shell python -c $$'try: import $(PACKAGE_NAME); print($(PACKAGE_NAME).__version__, end="");\nexcept: print("unknown");')
+
+OS_NAME := "$(shell uname)"
+ifeq ($(OS_NAME), "Darwin")
+  OS := darwin
+else
+  ifeq ($(OS_NAME), "Linux")
+	OS := linux
+  endif
+endif
+
+ARCH :=  $(shell echo `uname -m` | xargs)# E.g., arm64 or x86_64.
 
 # This variable contains the first goal that matches any of the listed goals
 # here, else it contains an empty string. The net effect is to filter out
@@ -107,7 +118,7 @@ upgrade-quiet:
 # Generate a Software Bill of Materials (SBOM).
 .PHONY: sbom
 sbom: requirements
-	cyclonedx-py requirements --output-format json --outfile dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json
+	cyclonedx-py requirements --output-format json --outfile dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH)-sbom.json
 
 # Generate a requirements.txt file containing version and integrity hashes for all
 # packages currently installed in the virtual environment. There's no easy way to
@@ -129,14 +140,14 @@ requirements.txt: pyproject.toml
 	  [[ $$pkg =~ (.*)==(.*) ]] && curl -s https://pypi.org/pypi/$${BASH_REMATCH[1]}/$${BASH_REMATCH[2]}/json | python -c "import json, sys; print(''.join(f''' \\\\\n    --hash=sha256:{pkg['digests']['sha256']}''' for pkg in json.load(sys.stdin)['urls']));" >> requirements.txt; \
 	done
 	echo -e -n "$(PACKAGE_NAME)==$(PACKAGE_VERSION)" >> requirements.txt
-	if [ -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz ]; then \
-	  echo -e -n " \\\\\n    $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz | grep '^\-\-hash')" >> requirements.txt; \
+	if [ -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH).tar.gz ]; then \
+	  echo -e -n " \\\\\n    $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH).tar.gz | grep '^\-\-hash')" >> requirements.txt; \
 	fi
-	if [ -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl ]; then \
-	  echo -e -n " \\\\\n    $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl | grep '^\-\-hash')" >> requirements.txt; \
+	if [ -f dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-$(OS)-$(ARCH).whl ]; then \
+	  echo -e -n " \\\\\n    $$(python -m pip hash --algorithm sha256 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-$(OS)-$(ARCH).whl | grep '^\-\-hash')" >> requirements.txt; \
 	fi
 	echo "" >> requirements.txt
-	cp requirements.txt dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-requirements.txt
+	cp requirements.txt dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH)-requirements.txt
 
 # Audit the currently installed packages. Skip packages that are installed in
 # editable mode (like the one in development here) because they may not have
@@ -175,17 +186,19 @@ test:
 # When building these artifacts, we need the environment variable SOURCE_DATE_EPOCH
 # set to the build date/epoch. For more details, see: https://flit.pypa.io/en/latest/reproducible.html
 .PHONY: dist
-dist: dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt
-dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl: check test
+dist: dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH)-build-epoch.txt
+dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl:
 	SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) flit build --setup-py --format wheel
-dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz: check test
+	mv dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-none-any.whl dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-py3-$(OS)-$(ARCH).whl
+dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz:
 	SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) flit build --setup-py --format sdist
+	mv dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION).tar.gz dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH).tar.gz
 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip: docs-html
 	python -m zipfile -c dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-html.zip docs/_build/html/
 dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip: docs-md
 	python -m zipfile -c dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-docs-md.zip docs/_build/markdown/
-dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt:
-	echo $(SOURCE_DATE_EPOCH) > dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-build-epoch.txt
+dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH)-build-epoch.txt:
+	echo $(SOURCE_DATE_EPOCH) > dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-$(OS)-$(ARCH)-build-epoch.txt
 
 # Build the HTML and Markdown documentation from the package's source.
 DOCS_SOURCE := $(shell git ls-files docs/source)