Merge branch 'reproducibility/pip-tools-pep517-build-constraints' int…

…o devel

This patch attempts to integrate a forgotten constraints file into the
tox setup. The idea is to make PEP 517 builds reproducible. The
python-build tool (PEP 517 front-end) parses the build requirements
from `pyproject.toml` and `pip install`s them into an ephemeral
temporary virtualenv. Unfortunately, this tool does not expose any
interface to pin those requirements. But the underlying tool, pip,
supports setting CLI options through env vars. So the `--constraint`
option corresponds to `PIP_CONSTRAINT` env var which this change
relies on.

The constraints file can be regenerated as follows:

    $ python -c 'from pathlib import Path; from sys import argv; from tomli import loads; print("\n".join(loads(Path(argv[1]).read_text())["build-system"].get("requires", [])))' pyproject.toml | python3 -m piptools compile --allow-unsafe --generate-hashes --strip-extras --output-file requirements-build.txt -

This change temporarily disables including hashes into the constraints
file per pypa/pip#9243.
It also sticks to generating the pins under the lowest-supported Python
version which is Python 3.6 to address
pypa/pip#11321.

requirements-build.txt

@@ -1,47 +1,32 @@
 #
-# This file is autogenerated by pip-compile
+# This file is autogenerated by pip-compile with python 3.9
 # To update, run:
 #
-#    pip-compile --generate-hashes --output-file=requirements-build.txt requirements-build.in
+#    pip-compile --allow-unsafe --output-file=requirements-build.txt --strip-extras -
 #
-cython==0.29.30 \
-    --hash=sha256:019d330ac580b2ca4a457c464ac0b8c35009d820ef5d09f328d6e31a10e1ce89 \
-    --hash=sha256:0b83a342a071c4f14e7410568e0c0bd95e2f20c0b32944e3a721649a1357fda4 \
-    --hash=sha256:0cd6c932e945af15ae4ddcf8fdc0532bda48784c92ed0a53cf4fae897067ccd1 \
-    --hash=sha256:1e078943bbde703ca08d43e719480eb8b187d9023cbd91798619f5b5e18d0d71 \
-    --hash=sha256:20778297c8bcba201ca122a2f792a9899d6e64c68a92363dd7eb24306d54d7ce \
-    --hash=sha256:2235b62da8fe6fa8b99422c8e583f2fb95e143867d337b5c75e4b9a1a865f9e3 \
-    --hash=sha256:28db751e2d8365b39664d9cb62dc1668688b8fcc5b954e9ca9d20e0b8e03d8b0 \
-    --hash=sha256:3993aafd68a7311ef94e00e44a137f6a50a69af0575ebcc8a0a074ad4152a2b2 \
-    --hash=sha256:3d0239c7a22a0f3fb1deec75cab0078eba4dd17868aa992a54a178851e0c8684 \
-    --hash=sha256:5183356c756b56c2df12d96300d602e47ffb89943c5a0bded66faca5d3da7be0 \
-    --hash=sha256:58d2b734250c1093bc69c1c3a6f5736493b9f8b34eb765f0a28a4a09468c0b00 \
-    --hash=sha256:5a8a3709ad9343a1dc02b8ec9cf6bb284be248d2c64af85464d9c3525eec74a5 \
-    --hash=sha256:5c7cfd908efc77306ddd41ef07f5a7a352c9205ced5c1e00a0e5ece4391707c4 \
-    --hash=sha256:5f2dae7dd56860018d5fd5032a71f11fdc224020932b463d0511a1536f27df85 \
-    --hash=sha256:60d370c33d56077d30e5f425026e58c2559e93b4784106f61581cf54071f6270 \
-    --hash=sha256:6b389a94b42909ff56d3491fde7c44802053a103701a7d210dcdd449a5b4f7b4 \
-    --hash=sha256:71fd1d910aced510c001936667fc7f2901c49b2ca7a2ad67358979c94a7f42ac \
-    --hash=sha256:786ee7b0cdb508b6de64c0f1f9c74f207186dfafad1ef938f25b7494cc481a80 \
-    --hash=sha256:7eff71c39b98078deaad1d1bdbf10864d234e2ab5d5257e980a6926a8523f697 \
-    --hash=sha256:80a7255ad84620f53235c0720cdee2bc7431d9e3db7b3742823a606c329eb539 \
-    --hash=sha256:88c5e2f92f16cd999ddfc43d572639679e8a057587088e627e98118e46a803e6 \
-    --hash=sha256:8e08f18d249b9b65e272a5a60f3360a8922c4c149036b98fc821fe1afad5bdae \
-    --hash=sha256:9462e9cf284d9b1d2c5b53d62188e3c09cc5c7a0018ba349d99b73cf930238de \
-    --hash=sha256:9826981308802c61a76f967875b31b7c683b7fc369eabaa6cbc22efeb12c90e8 \
-    --hash=sha256:9f1fe924c920b699af27aefebd722df4cfbb85206291623cd37d1a7ddfd57792 \
-    --hash=sha256:a30092c6e2d24255fbfe0525f9a750554f96a263ed986d12ac3c9f7d9a85a424 \
-    --hash=sha256:abcaf99f90cddc0f53600613eaafc81d27c4ac0671f0df8bce5466d4e86d54a1 \
-    --hash=sha256:acb72e0b42079862cf2f894964b41f261e941e75677e902c5f4304b3eb00af33 \
-    --hash=sha256:b17639b6a155abaa61a89f6f1323fb57b138d0529911ca03978d594945d062ba \
-    --hash=sha256:c299c5b250ae9f81c38200441b6f1d023aeee9d8e7f61c04001c7437181ccb06 \
-    --hash=sha256:c79685dd4631a188e2385dc6a232896c7b67ea2e3e5f8b5555b4b743f475d6d7 \
-    --hash=sha256:d0859a958e0155b6ae4dee04170ccfac2c3d613a7e3bee8749614530b9e3b4a4 \
-    --hash=sha256:d0f34b44078e3e0b2f1be2b99044619b37127128e7d55c54bbd2438adcaf31d3 \
-    --hash=sha256:d166d9f853db436f5e10733a9bd615699ddb4238feadcbdf5ae50dc0b18b18f5 \
-    --hash=sha256:d52d5733dcb144deca8985f0a197c19cf71e6bd6bd9d8034f3f67b2dea68d12b \
-    --hash=sha256:e29d3487f357108b711f2f29319811d92166643d29aec1b8e063aad46a346775 \
-    --hash=sha256:e36755e71fd20eceb410cc441b7f2586654c2edb013f4663842fdaf60b96c1ca \
-    --hash=sha256:e5cb144728a335d7a7fd0a61dff6abb7a9aeff9acd46d50b886b7d9a95bb7311 \
-    --hash=sha256:e605635a92ae862cb46d84d1d6883324518f9aaff4a71cede6d61df20b6a410c \
-    --hash=sha256:ffa8c09617833ff0824aa7926fa4fa9d2ec3929c67168e89105f276b7f36a63e
+cython==0.29.30
+    # via -r -
+expandvars==0.9.0
+    # via -r -
+packaging==21.3
+    # via setuptools-scm
+pyparsing==3.0.9
+    # via packaging
+setuptools-scm==6.4.2
+    # via -r -
+setuptools-scm-git-archive==1.4
+    # via -r -
+toml==0.10.2
+    # via -r -
+tomli==1.2.3
+    # via setuptools-scm
+typing-extensions==4.3.0
+    # via setuptools-scm
+wheel==0.37.1
+    # via -r -
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==59.6.0
+    # via
+    #   -r -
+    #   setuptools-scm

tox.ini

@@ -32,6 +32,7 @@ commands =
 [testenv]
 allowlist_externals =
   {env:CATCHSEGV_BINARY:}
+  env
   sh
 isolated_build = true
 usedevelop = false
@@ -76,6 +77,8 @@ commands_pre =
     -f {env:PEP517_OUT_DIR} \
     --no-index \
     ansible-pylibssh
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 
@@ -106,13 +109,19 @@ commands_pre =
     -f {toxinidir}/.github/workflows/.tmp/deps \
     --no-index \
     ansible-pylibssh
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 
 [dists]
+install_command =
+  env PIP_CONSTRAINT= \
+    {envpython} -m pip install {opts} {packages}
 setenv =
   {[testenv]setenv}
   PEP517_OUT_DIR = {env:PEP517_OUT_DIR:{toxinidir}{/}dist}
+  PIP_CONSTRAINT = {toxinidir}/requirements-build.txt
 
 
 [testenv:cleanup-dists]
@@ -123,6 +132,8 @@ description =
 usedevelop = false
 skip_install = true
 deps =
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 commands =
@@ -140,6 +151,8 @@ usedevelop = false
 skip_install = true
 deps =
   build ~= 0.7.0
+install_command =
+  {[dists]install_command}
 passenv =
   PEP517_BUILD_ARGS
 setenv =
@@ -165,10 +178,13 @@ deps =
   # NOTE: v20 added support for backend-path
   # NOTE: in pyproject.toml and we use it
   pip >= 20
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 commands =
-  {envpython} -m pip wheel \
+  env PIP_CONSTRAINT= \
+    {envpython} -m pip wheel \
     --no-deps \
     --wheel-dir "{env:PEP517_OUT_DIR}" \
     "{toxinidir}"
@@ -187,6 +203,8 @@ usedevelop = false
 skip_install = true
 deps =
   delocate
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 commands =
@@ -216,6 +234,8 @@ depends =
   delocate-macos-wheels
 deps =
   twine
+install_command =
+  {[dists]install_command}
 usedevelop = false
 skip_install = true
 setenv =