Merge pull request #123 from opensafely-core/workflow-permissions

Workflow updates and fix for removed pkg_resources

Author: rebkwok

.github/workflows/automerge.yaml

@@ -5,6 +5,9 @@ on:
     branches: [main]
 env:
   UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
+permissions:
+  contents: read
+  packages: write
 jobs:
   publish:
     # note: this builds/tests all versions in serial for two reasons. Firstly we

.github/workflows/build_and_publish.yaml

@@ -1,6 +1,8 @@
 name: Run tests
 on:
   pull_request:
+permissions:
+  contents: read
 env:
   UBUNTU_PRO_TOKEN: ${{ secrets.UBUNTU_PRO_TOKEN }}
 jobs:

.github/workflows/tests.yaml

@@ -35,10 +35,13 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 RUN python3 -m venv /opt/venv
 # "activate" the venv
 ENV VIRTUAL_ENV=/opt/venv/ PATH="/opt/venv/bin:$PATH"
-# We ensure up-to-date build tools (which why we ignore DL3013)
-# hadolint ignore=DL3013,DL3042
-RUN --mount=type=cache,target=/root/.cache python -m pip install -U pip setuptools wheel pip-tools
-
+# Ensure recent build tools
+# Pin setuptools to <82.0.0 (which removed pkg_resources, which some dependencies require)
+# Pin others to next major/minor version as of 2026-03-05 (major/minor depending on where
+# the package tends to include breaking changes)
+# hadolint ignore=DL3042
+RUN --mount=type=cache,target=/root/.cache python -m pip install -U "pip<27.0.0" "wheel<0.47.0" "pip-tools<7.6.0" "setuptools<82.0.0"
+RUN pip freeze
 
 #################################################
 #

Dockerfile

@@ -1,11 +1,12 @@
 import os
-import subprocess
+import re
+
 from importlib import import_module
 from pathlib import Path
-import re
+from importlib.metadata import distribution
+
 
 import pytest
-from pkg_resources import Requirement, get_provider
 
 
 # packages that have no way to detect their importable name
@@ -15,33 +16,42 @@
     "qtpy": None,  # required dependency of jupyter-lab
 }
 
+
 def get_module_names(pkg_name):
-    """Load pkg metadata to find out its importable module name(s)."""
+    """Load distribution to find out its importable module name(s)."""
     # remove any extras
-    pkg_name = re.sub(r'\[.*\]', '', pkg_name)
+    pkg_name = re.sub(r"\[.*\]", "", pkg_name)
     modules = set()
-    provider = get_provider(Requirement.parse(pkg_name))
     # top level package name is typically all we need
+    dist = distribution(pkg_name)
     if pkg_name in BAD_PACKAGES:
         name = BAD_PACKAGES[pkg_name]
-        if name is None:  # unimportably package
+        if name is None:  # unimportable package
             return []
         modules.add(BAD_PACKAGES[pkg_name])
-    elif provider.has_metadata("top_level.txt"):
-        first_line = list(provider.get_metadata_lines("top_level.txt"))[0]
-        modules.add(first_line)
+    elif top_level_names := dist.read_text("top_level.txt"):
+        # Find the first non-_ prefixed module
+        if first_public_name := next(
+            (
+                name
+                for name in top_level_names.strip().split("\n")
+                if not name.startswith("_")
+            ),
+            None,
+        ):
+            modules.add(first_public_name)
     else:
         # badly packaged dependency, make an educated guess
         name = pkg_name
         if pkg_name.endswith("-cffi"):
             name = pkg_name[:-5]
         elif pkg_name.endswith("-py"):
             name = pkg_name[:-3]
-        
+
         modules.add(name.replace("-", "_"))
 
-    if provider.has_metadata("namespace_packages.txt"):
-        modules |= set(provider.get_metadata_lines("namespace_packages.txt"))
+    if namespace_packages := dist.read_text("namespace_packages.txt"):
+        modules |= set(namespace_packages.strip().split("\n"))
 
     # _ prefixed modules are typically C modules and not directly importable
     return [n for n in modules if n[0] != "_"]