build: pin build-time Cython to the locked version#1793
Draft
bluetoothbot wants to merge 1 commit into
Draft
Conversation
Wheel builds run cibuildwheel in an isolated environment that resolves build-system.requires from PyPI and ignores poetry.lock. The previous unbounded 'Cython>=3.0.8' spec let each release pick up whichever Cython was newest at build time, so the compiled C output (and the shipped .pyd binaries) drifted between releases without any source change. Pin Cython to the version in poetry.lock so release wheels are built with the exact, tested compiler and the binaries are reproducible.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1793 +/- ##
=======================================
Coverage 99.77% 99.77%
=======================================
Files 33 33
Lines 3536 3536
Branches 498 498
=======================================
Hits 3528 3528
Misses 5 5
Partials 3 3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Release wheels are built by cibuildwheel in an isolated environment that resolves
build-system.requiresfrom PyPI and ignorespoetry.lock. The previous unboundedCython>=3.0.8spec let every release pick up whichever Cython was newest at build time, so the compiled C output — and the shipped.pydbinaries — drifted between releases with no source change. This matches the maintainer's read in #1791 that "nothing changed besides the cython version": the Cython version was an uncontrolled build variable.This pins build-time Cython to the version in
poetry.lock(3.2.5), so release wheels are built with the exact, tested compiler and the binaries are reproducible.Closes #1791
Changes
pyproject.toml:build-system.requiresCython>=3.0.8→==3.2.5(lockstep with the dev dependency /poetry.lock), with a comment explaining the cibuildwheel isolation pitfall.Notes / honest scope
The reported
ImportError: DLL load failed ... Access is deniedis a Palo Alto Cortex XDR "Hash Control" false positive on the unsigned_cache.*.pydbinary — confirmed by the reporter (pinning to an older release is their current workaround). A scanner vendor's heuristic/reputation verdict is not something a source change can definitively clear. What this repo can control is build determinism:0.149.12-era version) in lockstep withpoetry.lock.Test plan
pyproject.tomlparses andbuild-system.requiresresolves to the pinned spec.REQUIRE_CYTHON=1with the pinned Cython unchanged otherwise.Quality Report
Changes: 1 file changed, 6 insertions(+), 1 deletion(-)
Code scan: clean
Tests: passed (4 PASSED)
Branch hygiene: clean
Generated by Kōan