Fix macos-x86_64 dep-resolution build by restoring pkg-config and openssl@3

[Kyle-Neale]

What does this PR do?

Restores pkg-config and openssl@3 (plus OPENSSL_DIR / PKG_CONFIG_PATH env vars) in the macOS leg of .github/workflows/resolve-build-deps.yaml so the management-deps install step can compile cryptography from source when pip falls back to an sdist build.

Motivation

The resolve-build-deps workflow's macOS step deliberately wipes Homebrew (brew remove --force --ignore-dependencies $(brew list --formula)) so that delocate doesn't pull random brew libraries into the produced wheels. The step then reinstalls only coreutils.

That worked fine while pip resolved cryptography to a prebuilt wheel for the host Python. Then commit 3b4fb9d0e2 "Upgrade Python version (#24019)" landed on 2026-06-11 and bumped the macOS PBS Python from 3.13.13 (release 20260414) to 3.13.14 (release 20260610). The new PBS Python's platform tags no longer match cryptography's macosx_10_9_universal2 wheel, so pip falls back to building from sdist — which uses the openssl-sys Rust crate and immediately fails:

error: failed to run custom build command for `openssl-sys v0.9.117`
Could not find directory of OpenSSL installation [...] try installing `pkg-config`

Timeline:

• 2026-06-11 11:59 — last passing macos-x86_64 run (run 27345165538, PR Upgrade Python version #24014, 15m17s)
• 2026-06-11 19:26 — PR Upgrade Python version #24019 merged, bumping PBS Python 3.13.13 → 3.13.14
• 2026-06-15 03:01 — first failing macos-x86_64 run (bot PR Update dependencies #24041)

Reinstating pkg-config and openssl@3 (both keg-only so they won't be picked up by delocate from the wheel build step that runs in isolation later) lets the sdist build complete. These are host-side build tools; they don't end up in the produced wheels.

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• PR title must be written as a CHANGELOG entry (see why)
• Files changes must correspond to the primary purpose of the PR as described in the title (small unrelated changes should have their own PR)
• PR must have changelog/ label attached
• If the PR doesn't need to be tested during QA, please add a qa/skip-qa label.

[dd-octo-sts]

Validation Report

All 21 validations passed.

Show details

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and code coverage settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
config	Validate default configuration files against spec.yaml	✅
dep	Verify dependency pins are consistent and Agent-compatible	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
license-headers	Validate Python files have proper license headers	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
models	Validate configuration data models match spec.yaml	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
qa-label	Validate the pull request declares whether it needs QA for the next Agent release	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅
version	Validate version consistency between package and changelog	✅

View full run

[Kyle-Neale]

Switching to a more targeted fix: pinning cryptography in .builders/deps/host_dependencies.txt instead of restoring brew tools. The unpinned management-deps install was pulling cryptography 49.0.0 (no x86_64 wheel) → sdist source build → openssl-sys failure on the brew-wiped runner. Pinning avoids the source build entirely.