Skip to content

feat: add package metadata for wheel libraries #3531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
stevebarrau wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add package metadata for wheel libraries #3531

stevebarrau wants to merge 1 commit into from
+27 −3

Conversation

@stevebarrau
Copy link

@stevebarrau stevebarrau commented Jan 22, 2026

Add package_metadata rule to generated BUILD files for wheel libraries to track package provenance using PURL (Package URL) format.

This is then picked up by supply_chain_tools to produce SBOM for python target using external dependencies.

@stevebarrau
feat: add package metadata for wheel libraries
ea7bb2b 
Add package_metadata rule to generated BUILD files for wheel
libraries to track package provenance using PURL (Package URL)
format.
aignas
aignas reviewed Jan 23, 2026
View reviewed changes
python/private/pypi/whl_library.bzl
entry_points[entry_point_without_py] = entry_point_script_name

namespace_package_files = pypi_repo_utils.find_namespace_package_files(rctx, rctx.path("site-packages"))
purl = "pkg:pypi/{}@{}".format(
Copy link
Collaborator

@aignas aignas Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if we have private packages in here? Is pkg:pypi/{}@{} only a type of registry or the actual public PyPI?

python/private/pypi/whl_library.bzl
"pypi_version={}".format(metadata["version"]),
],
namespace_package_files = namespace_package_files,
purl = purl,
Copy link
Collaborator

@aignas aignas Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also needs to be added above, in the other branch of the code.

@aignas
Copy link
Collaborator

aignas commented Jan 23, 2026

What are other things that are needed for #2054 to be resolved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aignas aignas aignas left review comments

@rickeylev rickeylev Awaiting requested review from rickeylev rickeylev is a code owner

@groodt groodt Awaiting requested review from groodt groodt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stevebarrau @aignas