Pin build requirements versions

da-woods · da-woods · commit 195493b1ce81 · 2026-05-05T22:27:59.000+01:00
... and manage them with dependabot.

I've intentionally left the version in project.toml open and
then installed it separately with a file used only on our CI (so
as not to put artificial barriers on future users trying to install
it somewhere we hadn't anticipated).

I tried using the argument to `build` `--dependency-constraints-txt`.
That's unfortunately too new so didn't work.

Setting an environmental variable to `PIP_BUILD_CONSTRAINT`
seemed like it might also work, but to me looked a bit more
opaque than what I've done here.

For Cython 3.2.x we'll need a slightly more complicated requirements
file with different versions for Python 3.8.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -48,3 +48,20 @@ updates:
       - dependency-name: "cibuildwheel"
     cooldown:
       default-days: 7
+
+  # Constraints for build dependencies
+  - package-ecosystem: "pip"
+    target-branch: "master"
+    directory: ".wheel_build_requirements"
+    schedule:
+      interval: "monthly"
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: "pip"
+    target-branch: "3.2.x"
+    directory: ".wheel_build_requirements"
+    schedule:
+      interval: "monthly"
+    cooldown:
+      default-days: 7
diff --git a/.wheel_build_requirements/requirements.txt b/.wheel_build_requirements/requirements.txt
@@ -0,0 +1 @@
+setuptools == 82.0.1
diff --git a/pyproject.toml b/pyproject.toml
@@ -19,6 +19,12 @@ test-command = [
     "cython {project}/Cython/Compiler/Scanning.py",
     "cython {project}/Cython/Compiler/Parsing.py",
 ]
+# For cibuildwheel, use strict version constraints to ensure it's as reproducible as possible.
+# This means not installing from pyproject.toml but instead using a separate, more constrained file.
+# However, keep pyproject.toml build-system.requires open to not artificially constrain users
+# who may be trying to install on future versions of Python with unknown setuptools support. 
+build-frontend = "build; args: --no-isolation"
+before-build = "pip install -r .wheel_build_requirements/requirements.txt --no-deps --only-binary :all:"
 
 [tool.cibuildwheel.linux]
 archs = ["x86_64", "aarch64", "i686", "armv7l"]
