Publish sdist for future pyVmomi releases to meet SLSA and compliance requirements

[nicolearagao]

Is your feature request related to a problem? Please describe.

Our project requires building all dependencies from source for security and compliance reasons (e.g., following SLSA 3).
Since pyVmomi 9.0.0.0 only ships wheels (no sdist), we cannot build it from source, which makes it harder to meet these requirements.

Describe the solution you'd like

Please publish a source distribution (sdist) on PyPI for future pyVmomi releases, alongside the wheels.
This would allow downstream projects like ours to build from source and remain compliant.

Describe alternatives you've considered

No response

Additional context

No response

[DanielDraganov]

Hello Nicole. Thanks for pointing this. Can you share more details on your use case? Also, for the time being is it possible for you to just build pyVmomi from the GitHub sources? You could also build a source distribution if some tool specifically requires it: python -m build --sdist -n

[nicolearagao]

Hi Daniel, thanks again! Yes, we did build pyVmomi from the GitHub source as a temporary workaround , since the project is open source, that’s of course possible. That said, it’s not ideal for our compliance process. For SLSA 3, we need to rely on artifacts that come from a verifiable, official distribution channel like PyPI. Building from GitHub breaks that trust chain unless we also generate and maintain our own attestation and provenance metadata, which adds operational overhead and weakens the guarantees that come from having a consistent source of truth. That’s why having the sdist published directly to PyPI would make a real difference for downstream consumers like us. Appreciate your time!