Pin twine, hatchling versions and enforce usage of cargo.lock (#513)

jj22ee · web-flow · commit 2b5718ceb755 · 2025-10-24T09:56:51.000-07:00
*Issue #, if available:* Address release failure: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18734463348/job/53438678131 1. hatchling is responsible for generating a metadata file included in the wheel file. 2. twine will validate this metadata before publishing to PyPI. According to the release failure, the metadata's `license-expression` field is malformed. Yet I tried [testing an artifact in a fork](https://github.com/jj22ee/aws-otel-python-instrumentation/releases/tag/v0.12.2), but the wheel file's metadata doesn't look suspicious. So the exact root cause is unknown. *Description of changes:* Pins the following for the release: ``` twine==5.1.1 hatchling==1.25.0 ``` The latest versions are not compatible with the release process, but note that - last twine release was on September 4th, 2025 - https://pypi.org/project/twine/#history - last hatchling release was on December 15th, 2024 - https://pypi.org/project/hatchling/#history - Our latest ADOT Python release was on September 16th, 2025. Since there have been no new releases from twine/hatchling recently, it is suspected (but not confirmed yet in order to get this release out asap) that before the GitHub `actions/setup-python` upgrade in #506, an older `pip` version was installed, which installed older compatible versions of twine/hatchling. Probably since we upgraded `actions/setup-python`, `pip` might now install the latest versions of them, in which our repo is not yet compatible according to the failed release. Reasoning why we need both (test publish to TestPyPI): - failure with only pinning twine: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18762260003/job/53529721289 - failure with only pinning hatchling: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18762938622/job/53531893352 - success by pinning both twine and hatchling: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18763023516/job/53532160232 ----------- 2nd Issue is related to the PR build failure (https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/18763622170/job/53533951402?pr=512#step:3:2157): ``` > [builder 5/6] RUN if [ amd64 = "amd64" ]; then cargo install cargo-audit && cargo audit ; fi: 3.631 Downloaded allocator-api2 v0.2.21 3.635 Downloaded ahash v0.8.12 3.639 Downloaded addr2line v0.25.1 3.696 error: failed to compile `cargo-audit v0.21.2`, intermediate artifacts can be found at `/tmp/cargo-installifwHEz`. 3.696 To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path. 3.696 3.696 Caused by: 3.696 rustc 1.87.0 is not supported by the following package: 3.696 smol_str@0.3.4 requires rustc 1.89 3.696 Try re-running `cargo install` with `--locked`` ``` This is fixed by following the guidance to use `--locked`. Looks like the `Cargo.lock` file, which pins dependencies, wasn't actually being used. `cargo-audit` is also [updated to be pinned](https://crates.io/crates/cargo-audit/versions) for sanity. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -157,7 +157,7 @@ jobs:
       # The step below publishes to testpypi in order to catch any issues
       # with the package configuration that would cause a failure to upload to pypi.
       - name: Install twine
-        run: pip install twine
+        run: pip install twine==5.1.1
       
       - name: Download SDK artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0
diff --git a/Dockerfile b/Dockerfile
@@ -39,7 +39,7 @@ ARG TARGETARCH
 RUN if [ $TARGETARCH = "amd64" ]; then rustup component add rustfmt && cargo fmt --check ; fi
 
 # Audit dependencies
-RUN if [ $TARGETARCH = "amd64" ]; then cargo install cargo-audit && cargo audit ; fi
+RUN if [ $TARGETARCH = "amd64" ]; then cargo install cargo-audit --locked && cargo audit ; fi
 
 
 # Cross-compile based on the target platform.
diff --git a/aws-opentelemetry-distro/pyproject.toml b/aws-opentelemetry-distro/pyproject.toml
@@ -1,5 +1,5 @@
 [build-system]
-requires = ["hatchling"]
+requires = ["hatchling==1.25.0"]
 build-backend = "hatchling.build"
 
 [project]
