Merge branch 'main' of https://github.com/bazel-contrib/rules_python into fix.enable.namespace.pkgs

Author: rickeylev

CHANGELOG.md

@@ -60,6 +60,13 @@ END_UNRELEASED_TEMPLATE
 * (gazelle) Types for exposed members of `python.ParserOutput` are now all public.
 * (gazelle) Removed the requirement for `__init__.py`, `__main__.py`, or `__test__.py` files to be
   present in a directory to generate a `BUILD.bazel` file.
+* (toolchain) Updated the following toolchains to build 20250702 to patch CVE-2025-47273:
+    * 3.9.23
+    * 3.10.18
+    * 3.11.13
+    * 3.12.11
+    * 3.14.0b3
+* (toolchain) Python 3.13 now references 3.13.5
 
 {#v0-0-0-fixed}
 ### Fixed
@@ -72,6 +79,9 @@ END_UNRELEASED_TEMPLATE
 * (runfiles) The pypi runfiles package now includes `py.typed` to indicate it
   supports type checking
   ([#2503](https://github.com/bazel-contrib/rules_python/issues/2503)).
+* (toolchains) `local_runtime_repo` now checks if the include directory exists
+  before attempting to watch it, fixing issues on macOS with system Python
+  ({gh-issue}`3043`).
 
 {#v0-0-0-added}
 ### Added
@@ -81,13 +91,18 @@ END_UNRELEASED_TEMPLATE
 * (gazelle) New directive `gazelle:python_generate_pyi_deps`; when `true`,
   dependencies added to satisfy type-only imports (`if TYPE_CHECKING`) and type
   stub packages are added to `pyi_deps` instead of `deps`.
+* (toolchain) Add toolchains for aarch64 windows for
+    * 3.11.13
+    * 3.12.11
+    * 3.13.5
+    * 3.14.0b3
 
 {#v0-0-0-removed}
 ### Removed
 * Nothing removed.
 
 {#1-5-1}
-## [1.5.1] - 2025-06-XX
+## [1.5.1] - 2025-07-06
 
 [1.5.1]: https://github.com/bazel-contrib/rules_python/releases/tag/1.5.1
 
@@ -121,7 +136,8 @@ END_UNRELEASED_TEMPLATE
 * (py_wheel) py_wheel always creates zip64-capable wheel zips
 * (providers) (experimental) {obj}`PyInfo.venv_symlinks` replaces
   `PyInfo.site_packages_symlinks`
-* (deps) Updating setuptools to patch CVE-2025-47273.
+* (deps) Updated setuptools to 78.1.1 to patch CVE-2025-47273. This effectively makes
+  Python 3.9 the minimum supported version for using `pip_parse`.
 
 {#1-5-0-fixed}
 ### Fixed

CONTRIBUTING.md

@@ -318,6 +318,25 @@ Not breaking changes:
   * Changing internal details, such as renaming an internal file.
   * Changing a rule to a macro.
 
+## AI-assisted Contributions
+
+Contributions assisted by AI tools are allowed. However, the human author
+submitting the pull request is responsible for the contributed code as if they
+had written it entirely themselves. This means:
+
+*   **Understanding the code:** You must be able to explain what the code does
+    and why it's implemented that way. This includes discussing its
+    implications, and any trade-offs made during its development, just as if you
+    had written it entirely yourself.
+*   **Vetting the correctness and functionality:** You are responsible for
+    thoroughly testing and verifying that the code is correct, functional, and
+    meets all project requirements and standards.
+
+If the human PR author cannot fulfill these responsibilities, the `rules_python`
+maintainers will not spend time reviewing or merging the PR. The goal is to
+ensure that all contributions, regardless of their origin, maintain the quality
+and integrity of the project and do not place an undue burden on maintainers.
+
 ## FAQ
 
 ### Installation errors when during `git commit`

docs/requirements.txt

@@ -356,7 +356,7 @@ typing-extensions==4.13.2 \
     # via
     #   rules-python-docs (docs/pyproject.toml)
     #   sphinx-autodoc2
-urllib3==2.4.0 \
-    --hash=sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466 \
-    --hash=sha256:4e16665048960a0900c702d4a66415956a584919c03361cac9f1df5c5dd7e813
+urllib3==2.5.0 \
+    --hash=sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760 \
+    --hash=sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc
     # via requests

python/private/BUILD.bazel

@@ -16,7 +16,7 @@ load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
 load("@bazel_skylib//rules:common_settings.bzl", "bool_setting")
 load("//python:py_binary.bzl", "py_binary")
 load("//python:py_library.bzl", "py_library")
-load("//python:versions.bzl", "print_toolchains_checksums")
+load(":print_toolchain_checksums.bzl", "print_toolchains_checksums")
 load(":py_exec_tools_toolchain.bzl", "current_interpreter_executable")
 load(":sentinel.bzl", "sentinel")
 load(":stamp.bzl", "stamp_build_setting")

python/private/local_runtime_repo.bzl

@@ -99,7 +99,15 @@ def _local_runtime_repo_impl(rctx):
     interpreter_path = info["base_executable"]
 
     # NOTE: Keep in sync with recursive glob in define_local_runtime_toolchain_impl
-    repo_utils.watch_tree(rctx, rctx.path(info["include"]))
+    include_path = rctx.path(info["include"])
+
+    # The reported include path may not exist, and watching a non-existant
+    # path is an error. Silently skip, since includes are only necessary
+    # if C extensions are built.
+    if include_path.exists and include_path.is_dir:
+        repo_utils.watch_tree(rctx, include_path)
+    else:
+        pass
 
     # The cc_library.includes values have to be non-absolute paths, otherwise
     # the toolchain will give an error. Work around this error by making them

python/private/print_toolchain_checksums.bzl

@@ -0,0 +1,92 @@
+"""Print the toolchain versions.
+"""
+
+load("//python:versions.bzl", "TOOL_VERSIONS", "get_release_info")
+load("//python/private:text_util.bzl", "render")
+load("//python/private:version.bzl", "version")
+
+def print_toolchains_checksums(name):
+    """A macro to print checksums for a particular Python interpreter version.
+
+    Args:
+        name: {type}`str`: the name of the runnable target.
+    """
+    by_version = {}
+
+    for python_version, metadata in TOOL_VERSIONS.items():
+        by_version[python_version] = _commands_for_version(
+            python_version = python_version,
+            metadata = metadata,
+        )
+
+    all_commands = sorted(
+        by_version.items(),
+        key = lambda x: version.key(version.parse(x[0], strict = True)),
+    )
+    all_commands = [x[1] for x in all_commands]
+
+    template = """\
+cat > "$@" <<'EOF'
+#!/bin/bash
+
+set -o errexit -o nounset -o pipefail
+
+echo "Fetching hashes..."
+
+{commands}
+EOF
+    """
+
+    native.genrule(
+        name = name,
+        srcs = [],
+        outs = ["print_toolchains_checksums.sh"],
+        cmd = select({
+            "//python/config_settings:is_python_{}".format(version_str): template.format(
+                commands = commands,
+            )
+            for version_str, commands in by_version.items()
+        } | {
+            "//conditions:default": template.format(commands = "\n".join(all_commands)),
+        }),
+        executable = True,
+    )
+
+def _commands_for_version(*, python_version, metadata):
+    lines = []
+    lines += [
+        "cat <<EOB",  # end of block
+        "    \"{python_version}\": {{".format(python_version = python_version),
+        "        \"url\": \"{url}\",".format(url = metadata["url"]),
+        "        \"sha256\": {",
+    ]
+
+    for platform in metadata["sha256"].keys():
+        for release_url in get_release_info(platform, python_version)[1]:
+            # Do lines one by one so that the progress is seen better and use cat for ease of quotation
+            lines += [
+                "EOB",
+                "cat <<EOB",
+                "            \"{platform}\": \"$$({get_sha256})\",".format(
+                    platform = platform,
+                    get_sha256 = "curl --silent --show-error --location --fail {release_url_sha256}".format(
+                        release_url = release_url,
+                        release_url_sha256 = release_url + ".sha256",
+                    ),
+                ),
+            ]
+
+    prefix = metadata["strip_prefix"]
+    prefix = render.indent(
+        render.dict(prefix) if type(prefix) == type({}) else repr(prefix),
+        indent = " " * 8,
+    ).lstrip()
+
+    lines += [
+        "        },",
+        "        \"strip_prefix\": {strip_prefix},".format(strip_prefix = prefix),
+        "    },",
+        "EOB",
+    ]
+
+    return "\n".join(lines)