feat: Add support for Python package ecosystem#2164
Draft
EyeCantCU wants to merge 5 commits intochainguard-dev:mainfrom
Draft
feat: Add support for Python package ecosystem#2164EyeCantCU wants to merge 5 commits intochainguard-dev:mainfrom
EyeCantCU wants to merge 5 commits intochainguard-dev:mainfrom
Conversation
Add a declarative ecosystem package system that allows installing packages from non-APK ecosystems (starting with Python/PyPI) directly into OCI images without shelling out to pip or any other tool. Packages are resolved via the PEP 503 Simple Repository API, downloaded as wheels, and extracted directly into the filesystem. The new `ecosystems.python` config block supports custom indexes, version constraints, and auto-detection of the installed Python version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use the PyPI JSON API (pypi.org/pypi/{name}/{version}/json) to resolve
packages and discover transitive dependencies, instead of downloading
entire wheels just to read their METADATA files. The JSON API returns
clean requires_dist lists and wheel URLs with checksums in a single
request.
Falls back to the PEP 503 Simple API for non-PyPI indexes (private
registries), though without transitive resolution in that case.
Also adds environment marker evaluation (extra, os_name, sys_platform,
etc.) to correctly filter conditional dependencies, and pre-release
filtering to avoid resolving alpha/beta/rc versions unless pinned.
Tested with torch==2.6.0 which correctly resolves all 24 transitive
dependencies automatically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rename the package directory and Go package from "pip" to "python" to match the ecosystem name used in YAML config. Update all import paths and log messages accordingly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove readMetadata and parseRequiresDist, which are no longer used after switching to the PyPI JSON API for dependency discovery. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When `venv` is set in the python ecosystem config, packages are installed into a virtual environment with proper pyvenv.cfg and bin/python symlinks. The image environment is automatically configured with VIRTUAL_ENV and PATH prepended with the venv bin directory. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
And standardize introduction of other ecosystems