From 62580abf9ce5f6e92b2ab531a0949dbe68dc822f Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@vmware.com>
Date: Fri, 8 Apr 2022 10:32:14 +0300
Subject: [PATCH] verify_release: Build from git sources only

Make a new (local) git clone to build from. This ensures uncommitted
files do not affect the build.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
---
 verify_release | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/verify_release b/verify_release
index 6479720184..0db3cd672b 100755
--- a/verify_release
+++ b/verify_release
@@ -34,13 +34,22 @@ PYPI_PROJECT = "tuf"
 
 def build(build_dir: str) -> str:
     """Build release locally. Return version as string"""
-    cmd = ["python3", "-m", "build", "--outdir", build_dir]
-    subprocess.run(cmd, stdout=subprocess.DEVNULL, check=True)
+    orig_dir = os.path.dirname(os.path.abspath(__file__))
+
+    with TemporaryDirectory() as src_dir:
+        # fresh git clone: this prevents uncommitted files from affecting build
+        git_cmd = ["git", "clone", "--quiet", orig_dir, src_dir]
+        subprocess.run(git_cmd, stdout=subprocess.DEVNULL, check=True)
+
+        build_cmd = ["python3", "-m", "build", "--outdir", build_dir, src_dir]
+        subprocess.run(build_cmd, stdout=subprocess.DEVNULL, check=True)
+
     build_version = None
     for filename in os.listdir(build_dir):
         prefix, postfix = f"{PYPI_PROJECT}-", ".tar.gz"
         if filename.startswith(prefix) and filename.endswith(postfix):
             build_version = filename[len(prefix) : -len(postfix)]
+
     assert build_version
     return build_version