ci(packaging): validate sdist+wheel metadata with twine on every PR

[jd]

Without this, packaging-metadata bugs only surface at
release: published time — release 2026.5.5.1 was rejected by
PyPI's upload validator with 400 License-File LICENSE does not exist in distribution file because the LICENSE auto-bundling
hadn't been wired up. PR CI couldn't have caught it: build-sdist
was gated on inputs.stamp-version, so PR runs skipped the sdist
entirely, and there was no twine invocation anywhere.

Two changes:

1. build-sdist now runs on every PR. The version-stamping step
   and the artifact upload still gate on inputs.stamp-version
   (PR builds keep the placeholder version and skip the upload —
   the artifact is only useful for the publish job in
   release.yml). The Python toolchain is provisioned the same
   way as the wheel jobs.

2. twine check --strict runs against both the wheel (per
   matrix target) and the sdist immediately after each is built.
   Strict mode applies the same metadata rules PyPI's upload
   validator does — README rendering,
   Description-Content-Type, License-File presence — so a
   mismatch fails PR CI instead of the next release.

The cost is one extra ubuntu-24.04 job (~30s for sdist + twine
check) and a few seconds per wheel-matrix shard for the twine
install + check.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

Depends-On: #1354

[jd]

This pull request is part of a Mergify stack:

#	Pull Request	Link
1	fix(packaging): bundle LICENSE in wheel and sdist	#1354
2	ci(packaging): validate sdist+wheel metadata with twine on every PR	#1355	👈
3	chore(port): drop PORT_STATUS.toml inventory in favor of port-and-delete	#1351
4	docs(port): add port review checklist for HTTP/test/UX parity pitfalls	#1357
5	feat(rust): port queue pause and unpause to native Rust (Phase 1.5)	#1352
6	feat(rust): port ci git-refs and ci queue-info to native Rust (Phase 1.6)	#1353
7	feat(rust): port queue status to native Rust (Phase 1.7)	#1359

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 ⛓️ Depends-On Requirements

Wonderful, this rule succeeded.

Requirement based on the presence of Depends-On in the body of the pull request

• depends-on = Mergifyio/mergify-cli#1354 [⛓️ fix(packaging): bundle LICENSE in wheel and sdist #1354]

🟢 🤖 Continuous Integration

Wonderful, this rule succeeded.

• all of:
  • check-success=ci-gate

🟢 👀 Review Requirements

Wonderful, this rule succeeded.

• any of:
  • #approved-reviews-by>=2
  • author = dependabot[bot]
  • author = mergify-ci-bot
  • author = renovate[bot]

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 🔎 Reviews

Wonderful, this rule succeeded.

• #changes-requested-reviews-by = 0
• #review-requested = 0
• #review-threads-unresolved = 0

🟢 📕 PR description

Wonderful, this rule succeeded.

• body ~= (?ms:.{48,})

[Copilot]

Pull request overview

Adds packaging validation to PR CI so metadata problems are caught before release publishing, aligning the reusable wheel/sdist workflow with the packaging fix from #1354.

Changes:

• Add LICENSE to the maturin package include list so built artifacts match the emitted License-File metadata.
• Run the reusable build-sdist job on every PR instead of only on release builds.
• Run twine check --strict after building each wheel and the sdist to validate publish-time metadata rules in CI.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
pyproject.toml	Includes LICENSE in maturin-built distributions to keep packaged contents aligned with metadata.
.github/workflows/build-wheels.yml	Expands reusable packaging CI to always build the sdist on PRs and validates both wheel and sdist metadata with Twine.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-05 12:19 UTC · Rule: default
• ✅ Checks passed · on draft merge queue: embarking main (d31d0b7) and #1355 together #1360
• ✅ Merged — 2026-05-05 12:31 UTC · at 7f84caee351e177a184c2c3c2ccb19deb12e710f · squash

This pull request spent 12 minutes 22 seconds in the queue, including 11 minutes 56 seconds running CI.

Required conditions to merge

• depends-on = Mergifyio/mergify-cli#1354 [⛓️ fix(packaging): bundle LICENSE in wheel and sdist #1354]
  • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
• all of [🛡 Merge Protections rule Enforce conventional commit]:
  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:
    • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
• all of [🛡 Merge Protections rule 👀 Review Requirements]:
  • any of:
    • #approved-reviews-by>=2
      • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
    • author = dependabot[bot]
      • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
    • author = mergify-ci-bot
      • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
    • author = renovate[bot]
      • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
• all of [🛡 Merge Protections rule 📕 PR description]:
  • body ~= (?ms:.{48,})
    • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
• all of [🛡 Merge Protections rule 🔎 Reviews]:
  • #changes-requested-reviews-by = 0
    • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
  • #review-requested = 0
    • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
  • #review-threads-unresolved = 0
    • ci(packaging): validate sdist+wheel metadata with twine on every PR #1355
• all of [🛡 Merge Protections rule 🤖 Continuous Integration]:
  • all of:
    • check-success=ci-gate