feat(toolchains): backport 20260325/20260414 Python toolchains for 1.9.1 (#3708) by kevinpark1217 · Pull Request #3776 · bazel-contrib/rules_python

kevinpark1217 · 2026-05-14T13:28:30Z

Cherry-picks #3708 (6dac0f6d) into release/1.9 to land a 1.9.1. Companion to #3775; release/1.9 ships the same MINOR_MAPPING so it's affected by the same CVE set called out in #3773.

Deviations from the cherry-pick:

CHANGELOG.md conflict resolved by placing the bullets in a new 1.9.1 section. The patch's 2.0.0 block was discarded (doesn't belong on release/1.9).

The examples/wheel/ changes from #3708 (pypiserver bump + test_publish hardening) are included verbatim — they are required for the new toolchains, since 20260414+ python-build-standalone archives no longer bundle setuptools/pkg_resources and the previously-pinned pypiserver==2.0.1 imports pkg_resources at module load.

Second commit — workflow maintenance: fix(ci): unpin mypy version in mypy workflow drops the requirements: 1.6.0 / python_version: 3.9 pins from .github/workflows/mypy.yaml. The jpetrucciani/mypy-check@master action now defaults to mypy==2.1.0 (requires Python ≥3.10) regardless of the requirements parameter, so every PR against release/1.9 currently fails the ci check. After this fix the workflow runs with the action's defaults, matching how it's already configured on main and release/2.0. (Functionally equivalent to the workflow hunk of #3678, but framed as a workflow-maintenance fix rather than a partial cherry-pick.)

Test plan — Ubuntu 24.04 aarch64 Docker, Bazel 9.0.0, this branch via local_path_override:

py_binary runs under 3.14.4 (default MINOR_MAPPING) — archive SHA256s match
bazel test //examples/wheel:test_publish passes with the new toolchains
rules_python self-tests not run locally; relying on Buildkite CI for that signal

🤖 Generated with Claude Code

gemini-code-assist

Code Review

This pull request updates the Python toolchains by adding several new versions from the 20260325 and 20260414 releases, updating the MINOR_MAPPING, and refining the release info logic for freethreaded builds. Feedback includes correcting a missing comma and pluralization in the CHANGELOG.md, as well as improving the consistency of platform key ordering within the sha256 maps in python/versions.bzl.

gemini-code-assist · 2026-05-14T13:32:22Z

+* (toolchains) `3.13.12`, `3.14.3` Python toolchain from [20260325] release.
+* (toolchains) `3.10.20`, `3.11.15`, `3.12.13`, `3.13.13` `3.14.4`, `3.15.0a8`
+  Python toolchain from [20260414] release.


There are a few minor issues in the changelog entry:

A missing comma between 3.13.13 and 3.14.4 on line 58.

Use of the singular "toolchain" when referring to multiple versions. It should be "toolchains" for consistency.

Suggested change

* (toolchains) `3.13.12`, `3.14.3` Python toolchain from [20260325] release.

* (toolchains) `3.10.20`, `3.11.15`, `3.12.13`, `3.13.13` `3.14.4`, `3.15.0a8`

Python toolchain from [20260414] release.

* (toolchains) `3.13.12`, `3.14.3` Python toolchains from [20260325] release.

* (toolchains) `3.10.20`, `3.11.15`, `3.12.13`, `3.13.13`, `3.14.4`, `3.15.0a8`

Python toolchains from [20260414] release.

Cherry-picked verbatim from #3708 (6dac0f6d); same content is on main. Not changing in the backport. Happy to fix upstream in a follow-up.

gemini-code-assist · 2026-05-14T13:32:22Z

+            "aarch64-apple-darwin": "688da81bcaa6ed91792397c7d5433b13a4f02f021f940637c3972639bc516dca",
+            "aarch64-unknown-linux-gnu": "31c6e61eed48ca4e156d0e473025a792338641109e8277a63518ded438390c96",
+            "ppc64le-unknown-linux-gnu": "654939bc40d5f76f08eb17335bb19e9efa11eb48a0818eda2293a3f7c3570ae7",
+            "riscv64-unknown-linux-gnu": "fc7e1fb553c47b831ed7fa529575145207f000f967513f7b9ea809cce006ed79",
+            "s390x-unknown-linux-gnu": "7d7919358e88fcc672b061be8c2316c3a604c7074200515d7104166ed611f7f9",
+            "x86_64-apple-darwin": "7411e47939783708381017a90944a69641ac84d43f74fb6e2d52576c599a2717",
+            "x86_64-pc-windows-msvc": "5b4093f92d9bffcb0d92aea050f3d77d5a4fc8e918b31cea000ee4b3ca751f1d",
+            "aarch64-pc-windows-msvc": "d2c8b00044cd2e4c5fc7e697e63d5e481ed44b87c2def0beb42991d59f65d930",
+            "aarch64-pc-windows-msvc-freethreaded": "d2c8b00044cd2e4c5fc7e697e63d5e481ed44b87c2def0beb42991d59f65d930",
+            "x86_64-unknown-linux-gnu": "ebb1051ca2822b9803f46a5f10b6d51d153189ef1b1f1e142f733c0cbeaf86eb",
+            "x86_64-unknown-linux-musl": "b2e9400731c7f18069ec2804ba87a404385fe440f93b7dcb59004b9f56651202",
+            "aarch64-apple-darwin-freethreaded": "688da81bcaa6ed91792397c7d5433b13a4f02f021f940637c3972639bc516dca",
+            "aarch64-unknown-linux-gnu-freethreaded": "31c6e61eed48ca4e156d0e473025a792338641109e8277a63518ded438390c96",
+            "ppc64le-unknown-linux-gnu-freethreaded": "654939bc40d5f76f08eb17335bb19e9efa11eb48a0818eda2293a3f7c3570ae7",
+            "riscv64-unknown-linux-gnu-freethreaded": "fc7e1fb553c47b831ed7fa529575145207f000f967513f7b9ea809cce006ed79",
+            "s390x-unknown-linux-gnu-freethreaded": "7d7919358e88fcc672b061be8c2316c3a604c7074200515d7104166ed611f7f9",
+            "x86_64-apple-darwin-freethreaded": "7411e47939783708381017a90944a69641ac84d43f74fb6e2d52576c599a2717",
+            "x86_64-pc-windows-msvc-freethreaded": "5b4093f92d9bffcb0d92aea050f3d77d5a4fc8e918b31cea000ee4b3ca751f1d",
+            "x86_64-unknown-linux-gnu-freethreaded": "ebb1051ca2822b9803f46a5f10b6d51d153189ef1b1f1e142f733c0cbeaf86eb",


The keys in the sha256 map for version 3.13.12 are inconsistently ordered compared to other versions added in this PR (like 3.14.3). Specifically, aarch64-pc-windows-msvc-freethreaded is placed early (line 918) while other freethreaded variants are grouped at the end. It is better to group all freethreaded variants together or sort them alphabetically to maintain consistency and readability.

Suggested change

"aarch64-apple-darwin": "688da81bcaa6ed91792397c7d5433b13a4f02f021f940637c3972639bc516dca",

"aarch64-unknown-linux-gnu": "31c6e61eed48ca4e156d0e473025a792338641109e8277a63518ded438390c96",

"ppc64le-unknown-linux-gnu": "654939bc40d5f76f08eb17335bb19e9efa11eb48a0818eda2293a3f7c3570ae7",

"riscv64-unknown-linux-gnu": "fc7e1fb553c47b831ed7fa529575145207f000f967513f7b9ea809cce006ed79",

"s390x-unknown-linux-gnu": "7d7919358e88fcc672b061be8c2316c3a604c7074200515d7104166ed611f7f9",

"x86_64-apple-darwin": "7411e47939783708381017a90944a69641ac84d43f74fb6e2d52576c599a2717",

"x86_64-pc-windows-msvc": "5b4093f92d9bffcb0d92aea050f3d77d5a4fc8e918b31cea000ee4b3ca751f1d",

"aarch64-pc-windows-msvc": "d2c8b00044cd2e4c5fc7e697e63d5e481ed44b87c2def0beb42991d59f65d930",

"aarch64-pc-windows-msvc-freethreaded": "d2c8b00044cd2e4c5fc7e697e63d5e481ed44b87c2def0beb42991d59f65d930",

"x86_64-unknown-linux-gnu": "ebb1051ca2822b9803f46a5f10b6d51d153189ef1b1f1e142f733c0cbeaf86eb",

"x86_64-unknown-linux-musl": "b2e9400731c7f18069ec2804ba87a404385fe440f93b7dcb59004b9f56651202",

"aarch64-apple-darwin-freethreaded": "688da81bcaa6ed91792397c7d5433b13a4f02f021f940637c3972639bc516dca",

"aarch64-unknown-linux-gnu-freethreaded": "31c6e61eed48ca4e156d0e473025a792338641109e8277a63518ded438390c96",

"ppc64le-unknown-linux-gnu-freethreaded": "654939bc40d5f76f08eb17335bb19e9efa11eb48a0818eda2293a3f7c3570ae7",

"riscv64-unknown-linux-gnu-freethreaded": "fc7e1fb553c47b831ed7fa529575145207f000f967513f7b9ea809cce006ed79",

"s390x-unknown-linux-gnu-freethreaded": "7d7919358e88fcc672b061be8c2316c3a604c7074200515d7104166ed611f7f9",

"x86_64-apple-darwin-freethreaded": "7411e47939783708381017a90944a69641ac84d43f74fb6e2d52576c599a2717",

"x86_64-pc-windows-msvc-freethreaded": "5b4093f92d9bffcb0d92aea050f3d77d5a4fc8e918b31cea000ee4b3ca751f1d",

"x86_64-unknown-linux-gnu-freethreaded": "ebb1051ca2822b9803f46a5f10b6d51d153189ef1b1f1e142f733c0cbeaf86eb",

"aarch64-apple-darwin": "688da81bcaa6ed91792397c7d5433b13a4f02f021f940637c3972639bc516dca",

"aarch64-unknown-linux-gnu": "31c6e61eed48ca4e156d0e473025a792338641109e8277a63518ded438390c96",

"ppc64le-unknown-linux-gnu": "654939bc40d5f76f08eb17335bb19e9efa11eb48a0818eda2293a3f7c3570ae7",

"riscv64-unknown-linux-gnu": "fc7e1fb553c47b831ed7fa529575145207f000f967513f7b9ea809cce006ed79",

"s390x-unknown-linux-gnu": "7d7919358e88fcc672b061be8c2316c3a604c7074200515d7104166ed611f7f9",

"x86_64-apple-darwin": "7411e47939783708381017a90944a69641ac84d43f74fb6e2d52576c599a2717",

"x86_64-pc-windows-msvc": "5b4093f92d9bffcb0d92aea050f3d77d5a4fc8e918b31cea000ee4b3ca751f1d",

"aarch64-pc-windows-msvc": "d2c8b00044cd2e4c5fc7e697e63d5e481ed44b87c2def0beb42991d59f65d930",

"x86_64-unknown-linux-gnu": "ebb1051ca2822b9803f46a5f10b6d51d153189ef1b1f1e142f733c0cbeaf86eb",

"x86_64-unknown-linux-musl": "b2e9400731c7f18069ec2804ba87a404385fe440f93b7dcb59004b9f56651202",

"aarch64-apple-darwin-freethreaded": "688da81bcaa6ed91792397c7d5433b13a4f02f021f940637c3972639bc516dca",

"aarch64-unknown-linux-gnu-freethreaded": "31c6e61eed48ca4e156d0e473025a792338641109e8277a63518ded438390c96",

"ppc64le-unknown-linux-gnu-freethreaded": "654939bc40d5f76f08eb17335bb19e9efa11eb48a0818eda2293a3f7c3570ae7",

"riscv64-unknown-linux-gnu-freethreaded": "fc7e1fb553c47b831ed7fa529575145207f000f967513f7b9ea809cce006ed79",

"s390x-unknown-linux-gnu-freethreaded": "7d7919358e88fcc672b061be8c2316c3a604c7074200515d7104166ed611f7f9",

"x86_64-apple-darwin-freethreaded": "7411e47939783708381017a90944a69641ac84d43f74fb6e2d52576c599a2717",

"x86_64-pc-windows-msvc-freethreaded": "5b4093f92d9bffcb0d92aea050f3d77d5a4fc8e918b31cea000ee4b3ca751f1d",

"aarch64-pc-windows-msvc-freethreaded": "d2c8b00044cd2e4c5fc7e697e63d5e481ed44b87c2def0beb42991d59f65d930",

"x86_64-unknown-linux-gnu-freethreaded": "ebb1051ca2822b9803f46a5f10b6d51d153189ef1b1f1e142f733c0cbeaf86eb"

Cherry-picked verbatim from #3708 (6dac0f6d); same content is on main. Not changing in the backport. Happy to fix upstream in a follow-up.

The toolchain bumps from bazel-contrib#3708 are being backported to release/2.0 and release/1.9 as 2.0.2 and 1.9.1 respectively (bazel-contrib#3775, bazel-contrib#3776), so move the bullets out of Unreleased and into dated patch sections to match what will ship from those branches. Refs bazel-contrib#3773.

…,4}, 3.15.0a8 (bazel-contrib#3708) This updates the Python version mappings to include the latest released versions. (cherry picked from commit 6dac0f6)

The pinned `requirements: 1.6.0` and `python_version: 3.9` in `.github/workflows/mypy.yaml` no longer work: the `jpetrucciani/mypy-check@master` action now defaults to `mypy==2.1.0` (`Requires-Python >=3.10`) regardless of the `requirements` parameter, and Python 3.9 can no longer install it. Every PR opened against `release/1.9` currently fails this check. Drop both pins so the action picks its defaults, matching how the same workflow already runs on `main` and `release/2.0`.

kevinpark1217 requested review from aignas and rickeylev as code owners May 14, 2026 13:28

kevinpark1217 mentioned this pull request May 14, 2026

docs: split toolchain bumps from #3708 into 2.0.2 and 1.9.1 changelog sections #3777

Open

gemini-code-assist Bot reviewed May 14, 2026

View reviewed changes

kevinpark1217 force-pushed the backport-toolchains-3708-release-1.9 branch from 6f9c540 to baf6bd6 Compare May 14, 2026 13:45

kevinpark1217 mentioned this pull request May 14, 2026

Patch release: 2.0.2 — backport toolchain CVE fixes from #3708 #3773

Open

feat(toolchains): Add 3.10.20, 3.11.15, 3.12.13, 3.13.{12,13} 3.14.{3…

e88d0dd

…,4}, 3.15.0a8 (bazel-contrib#3708) This updates the Python version mappings to include the latest released versions. (cherry picked from commit 6dac0f6)

kevinpark1217 force-pushed the backport-toolchains-3708-release-1.9 branch from baf6bd6 to e88d0dd Compare May 18, 2026 09:53

kevinpark1217 force-pushed the backport-toolchains-3708-release-1.9 branch from 4324592 to 7adf838 Compare May 18, 2026 10:32

kevinpark1217 mentioned this pull request May 18, 2026

fix(ci): bump rules_cc to 0.2.17 to unbreak RBE #3788

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(toolchains): backport 20260325/20260414 Python toolchains for 1.9.1 (#3708)#3776

feat(toolchains): backport 20260325/20260414 Python toolchains for 1.9.1 (#3708)#3776
kevinpark1217 wants to merge 2 commits into
bazel-contrib:release/1.9from
kevinpark1217:backport-toolchains-3708-release-1.9

kevinpark1217 commented May 14, 2026 •

edited

Loading

Uh oh!

gemini-code-assist Bot left a comment

Uh oh!

gemini-code-assist Bot May 14, 2026

Uh oh!

kevinpark1217 May 14, 2026 •

edited

Loading

Uh oh!

gemini-code-assist Bot May 14, 2026

Uh oh!

kevinpark1217 May 14, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

kevinpark1217 commented May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist Bot May 14, 2026

Choose a reason for hiding this comment

Uh oh!

kevinpark1217 May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist Bot May 14, 2026

Choose a reason for hiding this comment

Uh oh!

kevinpark1217 May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

kevinpark1217 commented May 14, 2026 •

edited

Loading

kevinpark1217 May 14, 2026 •

edited

Loading

kevinpark1217 May 14, 2026 •

edited

Loading