ENG-1793: Install decrypted private-ingredient wheels at consume time#3822
Open
mitchell-as wants to merge 3 commits into
Open
ENG-1793: Install decrypted private-ingredient wheels at consume time#3822mitchell-as wants to merge 3 commits into
mitchell-as wants to merge 3 commits into
Conversation
After decrypting a private ingredient the consume path now installs the wheel into a self-contained site-packages directory and exposes it on PYTHONPATH via the artifact's runtime.json, rather than leaving the wheel file unextracted, so the package is importable in the runtime. A new internal/python/wheelinstall package extracts the wheel (confining entries to the destination) and writes the PEP 376 INSTALLER marker. The consume path gates the install on a .whl payload and logs anything else, leaving room for other payload types. The integration test now verifies the package imports via `state exec python3`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the “consume/install” path for encrypted private ingredients so that, after decryption, private ingredient wheels are actually installed into a self-contained site-packages directory and exposed via PYTHONPATH (through runtime.json), making the package importable in pulled projects.
Changes:
- Install decrypted private-ingredient
.whlpayloads into an artifact-localsite-packagesdirectory during runtime setup. - Add a new internal
wheelinstallpackage that extracts a wheel with “untrusted source” confinement and writes the PEP 376INSTALLERmarker. - Update the integration test to validate end-to-end behavior by importing the installed package rather than inspecting wheel files on disk.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
test/integration/publish_int_test.go |
Switches verification from “wheel exists/decrypted” to “package is importable and prints sentinel”. |
pkg/runtime/setup.go |
Adds private-wheel detection, installation into site-packages, and PYTHONPATH exposure via runtime.json. |
internal/python/wheelinstall/wheelinstall.go |
Introduces wheel extraction + INSTALLER marker writing for pure-Python wheels. |
internal/python/wheelinstall/wheelinstall_test.go |
Adds unit tests for wheel extraction and missing .dist-info failure behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… (ENG-1793)
The private artifact's PYTHONPATH entry must share the separator and inherit
directives of the Python runtime's own PYTHONPATH entry, or the cross-artifact
environment merge fails ("incompatible separator or inherit directives"). Use a
canonical ":" separator and inherit=false to match it, rather than
os.PathListSeparator and inherit=true.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
Test failures are sporadic. The only one that matters is passing: |
mitchell-as
force-pushed
the
mitchell/eng-1793
branch
from
8c3d58b to
2cf9b04
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ENG-1793: Install decrypted private-ingredient wheels at consume time
Part of the private ingredient work (ENG-1563). Until now the consume path decrypted a private ingredient's wheel but left it as an unextracted
.whlfile, so the package wasn't importable. This installs the wheel so a pulled project can actually use it.After decryption, the wheel is installed into a self-contained
site-packagesdirectory and exposed onPYTHONPATHthrough the artifact'sruntime.json; the existing deploy machinery then links it into the runtime.The integration test now verifies the installed package imports via
state exec python3 -c "import greeting"rather than checking for a leftover wheel file.Base branch: targets
mitchell/eng-1643; GitHub will retarget it toversion/0-48-1-RC2once the upstream PRs land.🤖 Generated with Claude Code