diff --git a/.github/workflows/poetry_lockfile.yaml b/.github/workflows/poetry_lockfile.yaml
new file mode 100644
index 0000000000..ae4d27f2de
--- /dev/null
+++ b/.github/workflows/poetry_lockfile.yaml
@@ -0,0 +1,24 @@
+on:
+ push:
+ branches: ["develop", "release-*"]
+ paths:
+ - poetry.lock
+ pull_request:
+ paths:
+ - poetry.lock
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
+jobs:
+ check-sdists:
+ name: "Check locked dependencies have sdists"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - uses: actions/setup-python@v4
+ with:
+ python-version: '3.x'
+ - run: pip install tomli
+ - run: ./scripts-dev/check_locked_deps_have_sdists.py
diff --git a/changelog.d/14742.misc b/changelog.d/14742.misc
new file mode 100644
index 0000000000..c0b5d2c062
--- /dev/null
+++ b/changelog.d/14742.misc
@@ -0,0 +1 @@
+Add check to ensure locked dependencies have source distributions available.
\ No newline at end of file
diff --git a/poetry.lock b/poetry.lock
index 688fd2ac26..e534b30d2b 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -3027,4 +3027,4 @@ user-search = ["pyicu"]
[metadata]
lock-version = "2.0"
python-versions = "^3.7.1"
-content-hash = "16528ddab686d1bc3180ff37b09de35b904f68516cfdcc3942844163a126255e"
+content-hash = "95cb043fa56e1e3275ba7f74b68b2191bd5886eea3e06b8cd370d7fc9fea3c07"
diff --git a/pyproject.toml b/pyproject.toml
index 21621510c8..880f2d3bd8 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -346,6 +346,9 @@ twine = "*"
# Towncrier min version comes from #3425. Rationale unclear.
towncrier = ">=18.6.0rc1"
+# Used for checking the Poetry lockfile
+tomli = ">=1.2.3"
+
[build-system]
# The upper bounds here are defensive, intended to prevent situations like
# #13849 and #14079 where we see buildtime or runtime errors caused by build
diff --git a/scripts-dev/check_locked_deps_have_sdists.py b/scripts-dev/check_locked_deps_have_sdists.py
new file mode 100755
index 0000000000..63ad99280a
--- /dev/null
+++ b/scripts-dev/check_locked_deps_have_sdists.py
@@ -0,0 +1,58 @@
+#! /usr/bin/env python
+# Copyright 2022 The Matrix.org Foundation C.I.C.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import sys
+from pathlib import Path
+from typing import Dict, List
+
+import tomli
+
+
+def main() -> None:
+ lockfile_path = Path(__file__).parent.parent.joinpath("poetry.lock")
+ with open(lockfile_path, "rb") as lockfile:
+ lockfile_content = tomli.load(lockfile)
+
+ # Poetry 1.3+ lockfile format:
+ # There's a `files` inline table in each [[package]]
+ packages_to_assets: Dict[str, List[Dict[str, str]]] = {
+ package["name"]: package["files"] for package in lockfile_content["package"]
+ }
+
+ success = True
+
+ for package_name, assets in packages_to_assets.items():
+ has_sdist = any(asset["file"].endswith(".tar.gz") for asset in assets)
+ if not has_sdist:
+ success = False
+ print(
+ f"Locked package {package_name!r} does not have a source distribution!",
+ file=sys.stderr,
+ )
+
+ if not success:
+ print(
+ "\nThere were some problems with the Poetry lockfile (poetry.lock).",
+ file=sys.stderr,
+ )
+ sys.exit(1)
+
+ print(
+ f"Poetry lockfile OK. {len(packages_to_assets)} locked packages checked.",
+ file=sys.stderr,
+ )
+
+
+if __name__ == "__main__":
+ main()
|
