Stop wheel Requires-Dist leakage by removing pinned req edges from inner library targets

[Copilot]

pants package :: was still emitting leaked pinned deps (==...) into wheel METADATA for 18 packages because inner toolshed_library(...) targets carried //py/deps:reqs#* edges. This change applies the same structural fix as aio.core repo-wide: keep runtime metadata sourced from setup.cfg publish reqs, not from inner source target transitive deps.

• Library target cleanup (18 packages)

  • Removed //py/deps:reqs#* dependencies from affected inner toolshed_library(...) targets.
  • Also removed leaked sibling-package req edges (e.g. aio-core, envoy-base-utils, envoy-github-release) where they were attached via //py/deps:reqs#....
  • Preserved non-req/source-style dependencies only where needed for in-repo source graphing.

• Test dependency rebalance

  • Added required pinned deps to corresponding tests/BUILD toolshed_tests(...) targets so tests keep access to runtime/test-time imports after library-edge removal.
  • Did not move stub-only/leak-only deps that are not part of package runtime requirements.

• Special-case leak paths resolved

  • envoy.distribution.release: removed the req-edge path that produced duplicate envoy-github-release leakage.
  • envoy.code.check: eliminated sibling-package leakage from the inner library target shape.
  • mypy-abstracts and pytest-abstracts: removed req-edge leaks from inner library targets so wheel requirements are driven by publish reqs.

Example of the applied pattern:

# before
toolshed_library(
    "envoy.dependency.check",
    dependencies=[
        "//py/deps:reqs#abstracts",
        "//py/deps:reqs#aio-api-github",
        "//py/deps:reqs#aio-core",
        ...
    ],
)

# after
toolshed_library("envoy.dependency.check")

# corresponding tests/BUILD carries required deps
toolshed_tests(
    "envoy.dependency.check",
    dependencies=[
        "//py/deps:reqs#abstracts",
        "//py/deps:reqs#aio-api-github",
        "//py/deps:reqs#aio-core",
        ...
    ],
)

Original prompt

Context

PR #4527 fixed the wheel-METADATA leak in py/aio.core where pinned //py/deps:reqs#* targets attached to the inner python_sources (via toolshed_library(dependencies=[...]) in py/aio.core/aio/core/BUILD) were being transitively pulled into the wheel's Requires-Dist. A follow-up PR adds a CI verifier (py/tools/publish_check/check_wheel_metadata.py) that walks dist/*.whl and compares each wheel's runtime Requires-Dist (excluding ; extra == ... entries) against the matching py/<pkg>/setup.cfg [options] install_requires, asserting set equality.

Running that verifier locally against the current pants package :: output shows that 18 of 23 wheels still leak the same way aio.core did before PR #4527. This issue is to fix all of them in one mechanical pass so the verifier goes fully green and the next release cycle ships clean wheels.

Currently clean (do not touch)

These wheels already match their setup.cfg exactly and must remain clean:

• abstracts
• aio.core (already fixed by PR py/aio.core: Fix wheel dep metadata #4527 — use as the canonical reference shape)
• pytest-iters
• pytest-patches
• toolshed-test-publish-pkg (the fixture at py/_test_publish_pkg)

Verifier output (the spec for this PR)

The following entries are what the verifier reports as unexpected Requires-Dist (leaked from pants/deps?) for each wheel. Each (name, specifier) tuple corresponds to a Requires-Dist entry that is NOT in that package's setup.cfg and must be removed from the wheel METADATA. Some are leaked third-party pinned deps (==<lockfile-pin>); some are leaked sibling toolshed packages (aio-core==0.11.0, etc.).

aio_api_bazel:           [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('aio-run-runner', '==0.4.0')]
aio_api_github:          [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('aiohttp', '==3.13.5'), ('gidgethub', '==5.4.0'), ('packaging', '==26.2')]
aio_api_nist:            [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('aiohttp', '==3.13.5'), ('packaging', '==26.2')]
aio_run_checker:         [('aio-run-runner', '==0.4.0')]
aio_run_runner:          [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('coloredlogs', '==15.0.1'), ('frozendict', '==2.4.7'), ('uvloop', '==0.22.1'), ('verboselogs', '==1.7')]
dependatool:             [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('aio-run-checker', '==0.6.0')]
envoy_base_utils:        [('abstracts', '==0.2.0'), ('aio-api-github', '==0.3.0'), ('aio-core', '==0.11.0'), ('aio-run-runner', '==0.4.0'), ('aiohttp', '==3.13.5'), ('frozendict', '==2.4.7'), ('jinja2', '==3.1.6'), ('orjson', '==3.11.9'), ('packaging', '==26.2'), ('protobuf', '==7.34.1'), ('python-gnupg', '==0.5.6'), ('pyyaml', '==6.0.3'), ('trycast', '==1.3.0'), ('types-protobuf', '==7.34.1.20260508'), ('zstandard', '==0.25.0')]
envoy_ci_report:         [('abstracts', '==0.2.0'), ('aio-api-github', '==0.3.0'), ('aio-core', '==0.11.0'), ('aio-run-runner', '==0.4.0')]
envoy_code_check:        [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('aio-run-checker', '==0.6.0'), ('envoy-base-utils', '==0.6.2-dev'), ('flake8', '==7.3.0'), ('packaging', '==26.2'), ('types-pyyaml', '==6.0.12.20260508'), ('yamllint', '==1.38.0'), ('yapf', '==0.43.0')]
envoy_dependency_check:  [('abstracts', '==0.2.0'), ('aio-api-github', '==0.3.0'), ('aio-core', '==0.11.0'), ('aio-run-checker', '==0.6.0'), ('aiohttp', '==3.13.5'), ('envoy-base-utils', '==0.6.0'), ('gidgethub', '==5.4.0'), ('jinja2', '==3.1.6'), ('packaging', '==26.2')]
envoy_distribution_release: [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('aio-run-runner', '==0.4.0'), ('envoy-base-utils', '==0.6.0'), ('envoy-github-release', '==0.1.0'), ('envoy-github-release', '==0.1.1-dev')]
envoy_distribution_verify: [('aio-run-checker', '==0.6.0'), ('envoy-base-utils', '==0.6.0'), ('envoy-docker-utils', '==0.1.0')]
envoy_docker_utils:      [('aiodocker', '==0.26.0')]
envoy_docs_sphinx_runner: [('aio-run-runner', '==0.4.0'), ('colorama', '==0.4.6'), ('docutils', '==0.21.2'), ('envoy-base-utils', '==0.6.0'), ('packaging', '==26.2'), ('protobuf', '==7.34.1'), ('pygments', '==2.20.0'), ('sphinx', '==8.2.3'), ('sphinx-copybutton', '==0.5.2'), ('sphinx-rtd-theme', '==3.1.0'), ('sphinx-tabs', '==3.5.0'), ('sphinxcontrib-httpdomain', '==2.0.0'), ('sphinxcontrib-jquery', '==4.1'), ('sphinxcontrib-serializinghtml', '==2.0.0'), ('sphinxext-rediraffe', '==0.3.0'), ('types-pygments', '==2.20.0.20260508')]
envoy_github_release:    [('abstracts', '==0.2.0'), ('aio-core', '==0.11.0'), ('aio-run-runner', '==0.4.0'), ('aiofiles', '==25.1.0'), ('aiohttp', '==3.13.5'), ('envoy-base-utils', '==0.6.0'), ('gidgethub', '==5.4.0'), ('packaging', '==26.2'), ('types-aiofiles', '==25.1.0.20260508'), ('verboselogs', '==1.7')]
envoy_gpg_sign:          [('aio-core', '==0.11.0'), ('aio-run-runner', '==0.4.0'), ('envoy-base-utils', '==0.6.0'), ('python-gnupg', '==0.5.6'), ('verboselogs', '==1.7')]
mypy_abstracts:          [('mypy', '==2.0.0')]
pyt...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

[netlify]

✅ Deploy Preview for nifty-bassi-e26446 ready!

Name	Link
🔨 Latest commit	b8c31ce
🔍 Latest deploy log	https://app.netlify.com/projects/nifty-bassi-e26446/deploys/6a063f0cd879a4000865b1b7
😎 Deploy Preview	https://deploy-preview-4531--nifty-bassi-e26446.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.