You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pin twine, hatchling versions and enforce usage of cargo.lock (#513)
*Issue #, if available:*
Address release failure:
https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18734463348/job/53438678131
1. hatchling is responsible for generating a metadata file included in
the wheel file.
2. twine will validate this metadata before publishing to PyPI.
According to the release failure, the metadata's `license-expression`
field is malformed. Yet I tried [testing an artifact in a
fork](https://github.com/jj22ee/aws-otel-python-instrumentation/releases/tag/v0.12.2),
but the wheel file's metadata doesn't look suspicious. So the exact root
cause is unknown.
*Description of changes:*
Pins the following for the release:
```
twine==5.1.1
hatchling==1.25.0
```
The latest versions are not compatible with the release process, but
note that
- last twine release was on September 4th, 2025 -
https://pypi.org/project/twine/#history
- last hatchling release was on December 15th, 2024 -
https://pypi.org/project/hatchling/#history
- Our latest ADOT Python release was on September 16th, 2025.
Since there have been no new releases from twine/hatchling recently, it
is suspected (but not confirmed yet in order to get this release out
asap) that before the GitHub `actions/setup-python` upgrade in
#506,
an older `pip` version was installed, which installed older compatible
versions of twine/hatchling. Probably since we upgraded
`actions/setup-python`, `pip` might now install the latest versions of
them, in which our repo is not yet compatible according to the failed
release.
Reasoning why we need both (test publish to TestPyPI):
- failure with only pinning twine:
https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18762260003/job/53529721289
- failure with only pinning hatchling:
https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18762938622/job/53531893352
- success by pinning both twine and hatchling:
https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18763023516/job/53532160232
-----------
2nd Issue is related to the PR build failure
(https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18763622170/job/53533951402?pr=512#step:3:2157):
```
> [builder 5/6] RUN if [ amd64 = "amd64" ]; then cargo install cargo-audit && cargo audit ; fi:
3.631 Downloaded allocator-api2 v0.2.21
3.635 Downloaded ahash v0.8.12
3.639 Downloaded addr2line v0.25.1
3.696 error: failed to compile `cargo-audit v0.21.2`, intermediate artifacts can be found at `/tmp/cargo-installifwHEz`.
3.696 To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.
3.696
3.696 Caused by:
3.696 rustc 1.87.0 is not supported by the following package:
3.696 [email protected] requires rustc 1.89
3.696 Try re-running `cargo install` with `--locked``
```
This is fixed by following the guidance to use `--locked`. Looks like
the `Cargo.lock` file, which pins dependencies, wasn't actually being
used. `cargo-audit` is also [updated to be
pinned](https://crates.io/crates/cargo-audit/versions) for sanity.
By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.
0 commit comments