Skip to content

Plan: Define maturin and PyO3 validation contracts#16

Draft
leynos wants to merge 3 commits into
mainfrom
maturin-validation
Draft

Plan: Define maturin and PyO3 validation contracts#16
leynos wants to merge 3 commits into
mainfrom
maturin-validation

Conversation

@leynos

@leynos leynos commented Jun 14, 2026

Copy link
Copy Markdown
Owner

Summary

This branch adds a design document for maturin and PyO3 validation because Rust-extension template renders need an explicit packaging contract before implementation work changes generated tests, CI, and release workflows. The design is captured in docs/maturin-pyo3-validation-design.md and is based on the observed approaches in Prosidy Darn, Cuprum, TEI Rapporteur, Stilyagi, and femtologging, plus upstream maturin, PyO3, and wheel-specification guidance.

It also repairs the generated Rust act-validation path that surfaced on this pull request: template/.github/workflows/ci.yml.jinja now points rust-cache at rust_extension, template/{% if use_rust %}rust_extension{% endif %}/Cargo.toml.jinja now uses PyO3 0.29.0, and tests/helpers/ci_contracts.py asserts the cache workspace contract.

There is no linked issue, roadmap task, or execplan for this branch. This is primarily a design branch that authorizes the next implementation pass, with a narrow generated-CI repair needed to keep the branch green.

Review walkthrough

Validation

  • make check-fmt: passed
  • make lint: passed
  • make typecheck: passed
  • make test: passed, 32 passed, 2 skipped, 3 snapshots passed
  • make test WITH_ACT=1: passed, 32 passed, 2 xfailed, 3 snapshots passed
  • git diff --check: passed

Notes

The design deliberately keeps pure-Python renders free of maturin, PyO3, Cargo, and wheel-action dependencies. It also treats femtologging as a negative case by requiring future template tests to reject broad maturin ranges and bare maturin develop validation as sufficient upgrade coverage.

The act-specific fix addresses two generated Rust workflow failures observed while validating this pull request: rust-cache running cargo metadata from a directory without Cargo.toml, and cargo audit rejecting PyO3 0.28.3 for RUSTSEC-2026-0176 and RUSTSEC-2026-0177.

leynos added 2 commits June 14, 2026 04:42
Document the validation contract for generated Rust-extension projects,
including maturin pin synchronisation, wheel snapshots, CI release routing, and PyO3 bridge escalation paths.
Incorporate expert review feedback by defining version
canonicalisation, skip semantics, focused wheel assertions, and generated
Rust-extension runbook requirements.
Clarify CI cost and release-routing expectations, and make the negative broad-range maturin case an explicit template regression guard.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @leynos, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 1bef9990-76ca-4872-a98a-03469a5deb61

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch maturin-validation

Comment @coderabbitai help to get the list of available commands and usage tips.

Point the generated Rust cache step at `rust_extension` so `rust-cache`
runs `cargo metadata` where the rendered `Cargo.toml` exists.

Bump the starter PyO3 dependency to `0.29.0` so generated Rust projects pass
`cargo audit` after the current RustSec advisories against `0.28.3`.
@leynos leynos changed the title Define maturin and PyO3 validation contracts Plan: Define maturin and PyO3 validation contracts Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant