From 98ef01bd68e327a2fd4e788871b8398b06defd3a Mon Sep 17 00:00:00 2001 From: Kyle-Neale Date: Tue, 16 Jun 2026 14:11:34 -0400 Subject: [PATCH] Fix macos-x86_64 build by restoring pkg-config and openssl@3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The macOS Set up environment step wipes all brew formulae before installing only coreutils, to keep delocate from bundling unintended brew libraries into output wheels. The trade-off is that the subsequent "Install management dependencies" pip install can no longer build native extensions that need OpenSSL — pip resolves cryptography transitively via google-cloud-storage and falls back to a source build when no wheel matches the PBS Python's platform tags, then the cryptography Rust extension fails with: error: failed to run custom build command for `openssl-sys v0.9.117` Could not find openssl via pkg-config This has been silently breaking every dependency-bump PR since #22996 merged on 2026-03-23. The auto-generated bot/update-dependencies PRs (#23081, #23172, #23288, #23368, #23483, #23566, #23658, #23718, #23825, #23886, #23946, #24041) have all been stuck on this failure, and the same failure surfaces on any human-opened PR that touches cryptography. Re-install pkg-config and openssl@3 (keg-only) after the wipe and export OPENSSL_DIR + PKG_CONFIG_PATH so openssl-sys can locate them. These are host-side build tools used only by the management-deps env on the runner; they are not bundled by delocate into the output wheels produced by the later "Run the build" step. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/resolve-build-deps.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/resolve-build-deps.yaml b/.github/workflows/resolve-build-deps.yaml index a74503462b369..cc526731e56a2 100644 --- a/.github/workflows/resolve-build-deps.yaml +++ b/.github/workflows/resolve-build-deps.yaml @@ -272,9 +272,18 @@ jobs: - name: Set up environment run: | # We remove everything that comes pre-installed via Homebrew to avoid depending on or shipping stuff that - # comes in the runner through Homebrew to better control what might get shipped in the wheels via `delocate` + # comes in the runner through Homebrew to better control what might get shipped in the wheels via `delocate`. + # pkg-config and openssl@3 are needed by the management-deps install step: pip resolves cryptography via + # transitive deps of google-cloud-storage and falls back to building from source when no wheel matches the + # PBS Python's tags. These are host-side build tools — they're not bundled by `delocate` into the output + # wheels, which are produced by the later "Run the build" step and processed in isolation. brew remove --force --ignore-dependencies $(brew list --formula) - brew install coreutils + brew install coreutils pkg-config openssl@3 + OPENSSL_PREFIX="$(brew --prefix openssl@3)" + { + echo "OPENSSL_DIR=${OPENSSL_PREFIX}" + echo "PKG_CONFIG_PATH=${OPENSSL_PREFIX}/lib/pkgconfig" + } >> "$GITHUB_ENV" - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2