Architecture¶
The edapack build system separates what a tool is made of (declared per
repo) from how tools are built and released (shared once in
edapack-common).
The manifest contract¶
Every release ships manifest.json (schema edapack.manifest/1). It records
the package, the release metadata, the resolved inputs, the built platforms,
and the shipped skills. The key field is inputs_digest:
inputs_digest = sha256( recipe_sha + sorted([{name, resolved_sha} for tracked inputs]) )
Because the digest folds in both the resolved commit of every tracked input
and the tool repo’s own commit (recipe_sha, the “build recipe”), it
changes exactly when a rebuild is warranted: an upstream bump, a dependency
bump, or a change to the build itself. Inputs marked track: false are recorded
in the manifest but excluded from the digest, so noisy dependencies don’t force
releases.
See Release manifest reference for the full field reference.
The resolve → gate → build → publish flow¶
The reusable workflow (edapack-common/.github/workflows/build-release.yml)
runs four stages:
resolve —
resolve-inputs.pyreads the repo’sbuild-inputs.yaml, applies any manual overrides, and resolves each input’s policy to a concrete commit SHA (viagit ls-remote/ the GitHub releases API — no clone). It emits a candidate manifest fragment with theinputs_digest.gate —
manifest-diff.pycompares the candidate against the previous release’smanifest.jsonand decidesbuild_needed:no prior release,
force, apush, or a pinnedworkflow_dispatch→ builda scheduled run whose digest is unchanged → skip (no release)
a changed digest → build, and the changed inputs go into the release notes
build (matrix, one job per manylinux image) —
docker runs the tool’sscripts/build.shin the stockquay.io/pypa/manylinux*image (deps installed at build time).build.shsourcesbuild-common.sh(delivered via ivpm atpackages/edapack-common) and callsec_finalize_release, which stages skills, shipsexport.envrc, and writes the per-platformmanifest.json.publish — merges the per-platform manifests into one top-level
manifest.jsonand creates the GitHub Release with the tarballs + manifest.
Directory conventions (rootless-safe)¶
build-common.sh enforces three directories so nothing transient lands in the
source tree:
Var |
Meaning |
CI |
Local |
|---|---|---|---|
|
read-only source checkout |
workspace |
mounted |
|
clones, build trees, staging |
|
named docker volume |
|
final tarball + manifest |
|
host-owned |
This is what makes local manylinux builds leave zero root-owned files in the workspace. See Local builds.