Skip to content

ENG-1793: Install decrypted private-ingredient wheels at consume time#3822

Open
mitchell-as wants to merge 3 commits into
mitchell/eng-1643from
mitchell/eng-1793
Open

ENG-1793: Install decrypted private-ingredient wheels at consume time#3822
mitchell-as wants to merge 3 commits into
mitchell/eng-1643from
mitchell/eng-1793

Conversation

@mitchell-as

@mitchell-as mitchell-as commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

ENG-1793: Install decrypted private-ingredient wheels at consume time

Part of the private ingredient work (ENG-1563). Until now the consume path decrypted a private ingredient's wheel but left it as an unextracted .whl file, so the package wasn't importable. This installs the wheel so a pulled project can actually use it.

After decryption, the wheel is installed into a self-contained site-packages directory and exposed on PYTHONPATH through the artifact's runtime.json; the existing deploy machinery then links it into the runtime.

The integration test now verifies the installed package imports via state exec python3 -c "import greeting" rather than checking for a leftover wheel file.

Base branch: targets mitchell/eng-1643; GitHub will retarget it to version/0-48-1-RC2 once the upstream PRs land.

🤖 Generated with Claude Code

After decrypting a private ingredient the consume path now installs the wheel
into a self-contained site-packages directory and exposes it on PYTHONPATH via
the artifact's runtime.json, rather than leaving the wheel file unextracted, so
the package is importable in the runtime.

A new internal/python/wheelinstall package extracts the wheel (confining entries
to the destination) and writes the PEP 376 INSTALLER marker. The consume path
gates the install on a .whl payload and logs anything else, leaving room for
other payload types. The integration test now verifies the package imports via
`state exec python3`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the “consume/install” path for encrypted private ingredients so that, after decryption, private ingredient wheels are actually installed into a self-contained site-packages directory and exposed via PYTHONPATH (through runtime.json), making the package importable in pulled projects.

Changes:

  • Install decrypted private-ingredient .whl payloads into an artifact-local site-packages directory during runtime setup.
  • Add a new internal wheelinstall package that extracts a wheel with “untrusted source” confinement and writes the PEP 376 INSTALLER marker.
  • Update the integration test to validate end-to-end behavior by importing the installed package rather than inspecting wheel files on disk.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
test/integration/publish_int_test.go Switches verification from “wheel exists/decrypted” to “package is importable and prints sentinel”.
pkg/runtime/setup.go Adds private-wheel detection, installation into site-packages, and PYTHONPATH exposure via runtime.json.
internal/python/wheelinstall/wheelinstall.go Introduces wheel extraction + INSTALLER marker writing for pure-Python wheels.
internal/python/wheelinstall/wheelinstall_test.go Adds unit tests for wheel extraction and missing .dist-info failure behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/runtime/setup.go
Comment thread pkg/runtime/setup.go
Comment thread pkg/runtime/setup.go
Comment thread pkg/runtime/setup.go
Comment thread internal/python/wheelinstall/wheelinstall.go
… (ENG-1793)

The private artifact's PYTHONPATH entry must share the separator and inherit
directives of the Python runtime's own PYTHONPATH entry, or the cross-artifact
environment merge fails ("incompatible separator or inherit directives"). Use a
canonical ":" separator and inherit=false to match it, rather than
os.PathListSeparator and inherit=true.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mitchell-as

Copy link
Copy Markdown
Collaborator Author

Test failures are sporadic. The only one that matters is passing:

✅ TestPublishIntegrationTestSuite/TestPublishBuildEncrypted (50.37s)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants