Add pylock

[sbidoul]

Here is the proposal for pylock.toml support.

• immutable keywords-only dataclasses
• a Pylock.from_dict class method to validate and create a Pylock instance from a toml dict (obtained from tomllib.load)
• a Pylock.to_dict method to convert to a spec-compliant toml dict (assuming types were respected when populating the dataclass), preserving the recommended field ordering
• this uses frozen keyword-only dataclasses, which makes the constructors look weird, but that will be cleaned up without API change when this project drops support for python 3.9
• is_valid_pylock_path to validate pylock file names
• a validate method to check that a Pylock instance is spec compliant (one obtained from from_dict is guaranteed to be, but one created manually may not be)
• toml (de)serialization left out on purpose

Documentation is still TODO.

closes #898

[sbidoul]

In the spec, the upload_time field is not at the same position for archive and sdist / wheel.

Is that intended or something we want to tweak here and/or in the spec?

[brettcannon]

That was intended as the idea (and expected value) comes from the index API and I don't think archives are supported there.

[brettcannon]

But if people have uses for an upload time for archives then I suspect making it a 1.1 change wouldn't be controversial.

[sbidoul]

Note my remark was only about the ordering of the fields, not about the presence of upload_time in archive.

[sbidoul]

I consider this PR ready for review. I plan to add documentation after a first round of review, assuming the overall design is agreeable to packaging maintainers, of course.

[brettcannon]

FYI I'm hoping to look at this post-EuroPython in hopes that it helps unblock pip so it can add installation support for pylock.toml.

[brettcannon]

Looks good overall! Some docstring tweaks-- since that will be documentation --and potential test tweaks. You can feel free to ignore the assignment expression suggestions if you want.

[sbidoul]

@brettcannon thanks for the review. I handled the comments and added a documentation page. This is ready for a second round.

[brettcannon]

LGTM! Thanks for all the work on this, @sbidoul !

@pradyunsg @henryiii any opinions on this before we merge it?

[henryiii]

I'm heading out for a week, won't have time to review the code soon, excited by the idea though! :)

Is the docs failure related? Looks like it might be due to a merge after #897?

[notatallshaw]

Is the docs failure related? Looks like it might be due to a merge after #897?

The error does look related, if I get a moment in the next few days I will try and checkout this branch and understand why this is happening in the docs build.

[notatallshaw]

Is the docs failure related? Looks like it might be due to a merge after #897?

Fix: #926

[sbidoul]

I added a few commits with some minor improvements, notably:

• handle the str is a Sequence[str] gotcha in validation
• validate attestation-identities.kind

Let me know if there is something else I can do.

[brettcannon]

My approval stands, so I think we just need @henryiii or @pradyunsg to also approve and then we can merge this!

[henryiii]

I actually thought I had approved this.

[brettcannon]

Thanks to @sbidoul for the PR and everyone for their reviews!

[woodruffw]

This is awesome, thanks a ton @sbidoul!

[brettcannon]

I now selfishly hope this unblocks pylock.toml installation by pip. 😁

[ichard26]

This is exciting news 🎉