Workflow updates and fix for removed pkg_resources#123
Merged
Conversation
Ensure workflows have the minimum required permissions and silence the security alerts
We've removed this in most other repos and generally concluded it's a bad idea. It allows merging of PRs with broken builds, e.g. #119
rebkwok
force-pushed
the
workflow-permissions
branch
from
565d8f0 to
0e25477
Compare
setuptools v82.0.0 removed the deprecated pkg_resources. Our Dockerfile installs the most recent version of build tools, including setuptools, which breaks tests. We can fix the tests to use importlib instead of pkg_resources. However, we still can't just install the latest setuptools, because various packages also depend on a version that still includes pkg_resources, so we pin it to <82.0.0.
rebkwok
force-pushed
the
workflow-permissions
branch
from
0e25477 to
efde8e5
Compare
rebkwok
changed the title
Contributor
Author
|
The better fix may be to manage those dependencies outside of the Dockerfile, and possibly replace pip with uv, but I didn't want to tackle that as part of this PR |
bloodearnest
approved these changes
Mar 5, 2026
Member
bloodearnest
left a comment
bloodearnest
left a comment
There was a problem hiding this comment.
Thanks for chasing the setuptools issue down.
Dockerfile
Outdated
| # Pin setuptools to <82.0.0 (which removed pkg_resources, which some dependencies require) | ||
| # hadolint ignore=DL3013,DL3042 | ||
| RUN --mount=type=cache,target=/root/.cache python -m pip install -U pip setuptools wheel pip-tools | ||
| RUN --mount=type=cache,target=/root/.cache python -m pip install -U pip wheel pip-tools "setuptools<82.0.0" |
Member
There was a problem hiding this comment.
Hmm, yeah this was an oversight on my part, and bound to break at some point, since we freeze packages, and some of them will depend on old setuptools apis (as well as our tests also depending on them).
Do you think its worth pinning the rest too?
Contributor
Author
There was a problem hiding this comment.
Maybe? We've had issues with pip versions elsewhere. I could pin everything to the current major version?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This started as a simple thing to add workflow permissions, but tests failed because the latest setuptools has removed pkg_resources, so that's actually the bigger fix here.
setuptools v82.0.0 removed the deprecated pkg_resources. Our Dockerfile installs the most recent version of build tools, including setuptools, which broke the import tests, which used pkg_resources.
We can fix the tests to use importlib instead of pkg_resources. However, we still can't just install the latest setuptools, because various packages also depend on a version that still includes pkg_resources, so we pin it to <82.0.0.
(This is breaking things for lots of people)
The more boring part: