feat(pypi): store PyPI results as facts v2

Whilst this is working locally the laundry list is:
- [ ] Add tests for the cache.
- [ ] Decide if filtering the versions in the cache is OK. It feels like
  we should not need to do it.
- [ ] Adapt the tests and test the version filtering
- [ ] Split out the parsing improvements for `parse_simpleapi_html` into
  a separate PR. I discovered a bug there where the `data-yanked=""` is
  interpreted as `yanked` package and I want to avoid misunderstandings
  where the lines would appear in the lock file and then people would be
  scratching their heads.

Superseeds bazel-contrib#3559
Fixes bazel-contrib#2731

Author: aignas

python/private/pypi/extension.bzl

@@ -225,7 +225,7 @@ You cannot use both the additive_build_content and additive_build_content_file a
     # dict[str repo, HubBuilder]
     # See `hub_builder.bzl%hub_builder()` for `HubBuilder`
     pip_hub_map = {}
-    simpleapi_cache = pypi_cache()
+    simpleapi_cache = pypi_cache(module_ctx = module_ctx)
 
     for mod in module_ctx.modules:
         for pip_attr in mod.tags.parse:
@@ -293,6 +293,7 @@ You cannot use both the additive_build_content and additive_build_content_file a
         config = config,
         exposed_packages = exposed_packages,
         extra_aliases = extra_aliases,
+        facts = simpleapi_cache.get_facts(),
         hub_group_map = hub_group_map,
         hub_whl_map = hub_whl_map,
         whl_libraries = whl_libraries,
@@ -372,7 +373,11 @@ def _pip_impl(module_ctx):
         module_ctx: module contents
     """
 
-    mods = parse_modules(module_ctx, enable_pipstar = rp_config.enable_pipstar, enable_pipstar_extract = rp_config.enable_pipstar and rp_config.bazel_8_or_later)
+    mods = parse_modules(
+        module_ctx,
+        enable_pipstar = rp_config.enable_pipstar,
+        enable_pipstar_extract = rp_config.enable_pipstar and rp_config.bazel_8_or_later,
+    )
 
     # Build all of the wheel modifications if the tag class is called.
     _whl_mods_impl(mods.whl_mods)
@@ -396,6 +401,7 @@ def _pip_impl(module_ctx):
 
     return module_ctx.extension_metadata(
         reproducible = True,
+        facts = mods.facts or {},
     )
 
 _default_attrs = {

python/private/pypi/hub_builder.bzl

@@ -395,11 +395,11 @@ def _set_get_index_urls(self, pip_attr):
             index_url = pip_attr.experimental_index_url,
             extra_index_urls = pip_attr.experimental_extra_index_urls or [],
             index_url_overrides = pip_attr.experimental_index_url_overrides or {},
-            sources = [
-                d
-                for d in distributions
+            sources = {
+                d: versions
+                for d, versions in distributions.items()
                 if _use_downloader(self, python_version, d)
-            ],
+            },
             envsubst = pip_attr.envsubst,
             # Auth related info
             netrc = pip_attr.netrc,

python/private/pypi/parse_requirements.bzl

@@ -53,7 +53,7 @@ def parse_requirements(
             os, arch combinations.
         extra_pip_args (string list): Extra pip arguments to perform extra validations and to
             be joined with args found in files.
-        get_index_urls: Callable[[ctx, list[str]], dict], a callable to get all
+        get_index_urls: Callable[[ctx, dict[str, list[str]]], dict], a callable to get all
             of the distribution URLs from a PyPI index. Accepts ctx and
             distribution names to query.
         evaluate_markers: A function to use to evaluate the requirements.
@@ -170,15 +170,17 @@ def parse_requirements(
 
     index_urls = {}
     if get_index_urls:
+        distributions = {}
+        for reqs in requirements_by_platform.values():
+            for req in reqs.values():
+                if req.srcs.url:
+                    continue
+
+                distributions.setdefault(req.distribution, []).append(req.srcs.version)
+
         index_urls = get_index_urls(
             ctx,
-            # Use list({}) as a way to have a set
-            list({
-                req.distribution: None
-                for reqs in requirements_by_platform.values()
-                for req in reqs.values()
-                if not req.srcs.url
-            }),
+            distributions,
         )
 
     ret = []

python/private/pypi/parse_simpleapi_html.bzl

@@ -53,16 +53,37 @@ def parse_simpleapi_html(*, content):
 
     # Each line follows the following pattern
     # <a href="https://...#sha256=..." attribute1="foo" ... attributeN="bar">filename</a><br />
+    #
+    # Sometimes the lines may be split, so we should seek until `<br />`
     sha256s_by_version = {}
     for line in lines[1:]:
-        dist_url, _, tail = line.partition("#sha256=")
-
-        sha256, _, tail = tail.partition("\"")
+        attrs, _, _ = line.rpartition("</a><br")
+        attrs, _, _ = attrs.rpartition(">")  # Strip the name as well
+        dist_url, sep, attrs = attrs.partition("#sha256=")
+        if sep:
+            # TODO @aignas 2026-03-08: tests
+            sha256, _, attrs = attrs.partition("\"")
+        else:
+            # TODO @aignas 2026-03-08: tests
+            sha256 = ""
 
         # See https://packaging.python.org/en/latest/specifications/simple-repository-api/#adding-yank-support-to-the-simple-api
-        yanked = "data-yanked" in line
 
-        head, _, _ = tail.rpartition("</a>")
+        # Yank reason
+        # TODO @aignas 2026-03-08: add unit tests
+        _, _, maybe_yanked = attrs.partition(" data-yanked=")
+        yanked, _, maybe_yanked = maybe_yanked.strip('"').partition('"')
+
+        # if yanked endswith '\', then we know this is an escaped yank reason containing '\"' in it
+        for _ in range(1000):
+            if not yanked.endswith("\\"):
+                break
+
+            c, _, maybe_yanked = maybe_yanked.strip('"').partition('"')
+            yanked = "{}\"{}".format(yanked, c)
+        yanked = yanked.strip(" \"")
+
+        head, _, _ = line.rpartition("</a>")
         maybe_metadata, _, filename = head.rpartition(">")
         version = version_from_filename(filename)
         sha256s_by_version.setdefault(version, []).append(sha256)
@@ -73,8 +94,8 @@ def parse_simpleapi_html(*, content):
             metadata_marker = metadata_marker + "=\"sha256="
             if metadata_marker in maybe_metadata:
                 # Implement https://peps.python.org/pep-0714/
-                _, _, tail = maybe_metadata.partition(metadata_marker)
-                metadata_sha256, _, _ = tail.partition("\"")
+                _, _, attrs = maybe_metadata.partition(metadata_marker)
+                metadata_sha256, _, _ = attrs.partition("\"")
                 metadata_url = dist_url + ".metadata"
                 break
 

python/private/pypi/pypi_cache.bzl

@@ -8,18 +8,34 @@ In the future the same will be used to:
 - Store PyPI index query results as facts in the MODULE.bazel.lock file
 """
 
-def pypi_cache(store = None):
+load(":version_from_filename.bzl", "version_from_filename")
+
+_FACT_VERSION = "v1"
+
+def pypi_cache(module_ctx = None, store = None):
     """The cache for PyPI index queries.
 
     Currently the key is of the following structure:
-    (url, real_url)
+    (url, real_url, versions)
+
+    Args:
+        module_ctx: The module context
+        store: The in-memory store, should implement dict interface for get and setdefault
+
+    Returns:
+        A cache struct
     """
+    mcache = memory_cache(store)
+    facts = {}
+    fcache = facts_cache(getattr(module_ctx, "facts", None), facts)
 
     # buildifier: disable=uninitialized
     self = struct(
-        _store = store or {},
+        _mcache = mcache,
+        _facts = fcache,
         setdefault = lambda key, parsed_result: _pypi_cache_setdefault(self, key, parsed_result),
         get = lambda key: _pypi_cache_get(self, key),
+        get_facts = lambda: _get_facts(facts),
     )
 
     # buildifier: enable=uninitialized
@@ -40,7 +56,13 @@ def _pypi_cache_setdefault(self, key, parsed_result):
     Returns:
         The `parse_result`.
     """
-    return self._store.setdefault(key, parsed_result)
+    index_url, real_url, versions = key
+    self._mcache.setdefault(real_url, None, parsed_result)
+    if not versions or not self._facts:
+        return parsed_result
+
+    filtered = _filter_packages(parsed_result, versions)
+    return self._facts.setdefault(index_url, filtered)
 
 def _pypi_cache_get(self, key):
     """Return the parsed result from the cache.
@@ -52,4 +74,163 @@ def _pypi_cache_get(self, key):
     Returns:
         The {type}`struct` or `None` based on if the result is in the cache or not.
     """
-    return self._store.get(key)
+    index_url, real_url, versions = key
+    cached = self._mcache.get(real_url, versions)
+    if not self._facts:
+        return cached
+
+    if not cached and versions:
+        # Could not get from in-memory, read from lockfile facts
+        cached = self._facts.get(index_url, versions)
+
+    return cached
+
+def _get_facts(facts):
+    return facts
+
+def memory_cache(cache = None):
+    """SimpleAPI cache for making fewer calls.
+
+    Args:
+        cache: the storage to store things in memory.
+
+    Returns:
+        struct with 2 methods, `get` and `setdefault`.
+    """
+    if cache == None:
+        cache = {}
+
+    return struct(
+        get = lambda real_url, versions: _filter_packages(cache.get(real_url), versions),
+        setdefault = lambda real_url, versions, value: _filter_packages(cache.get(real_url), versions),
+    )
+
+def _filter_packages(dists, requested_versions):
+    if dists == None:
+        return None
+
+    if not requested_versions:
+        return dists
+
+    sha256s_by_version = {}
+    whls = {}
+    sdists = {}
+
+    for sha256, d in dists.sdists.items():
+        if d.version not in requested_versions:
+            continue
+
+        sdists[sha256] = d
+        sha256s_by_version.setdefault(d.version, []).append(sha256)
+
+    for sha256, d in dists.whls.items():
+        if d.version not in requested_versions:
+            continue
+
+        whls[sha256] = d
+        sha256s_by_version.setdefault(d.version, []).append(sha256)
+
+    if not whls and not sdists:
+        # TODO @aignas 2026-03-08: add logging
+        #print("WARN: no dists matched for versions {}".format(requested_versions))
+        return None
+
+    return struct(
+        whls = whls,
+        sdists = sdists,
+        sha256s_by_version = sha256s_by_version,
+    )
+
+def facts_cache(known_facts, facts, facts_version = _FACT_VERSION):
+    if known_facts == None:
+        return None
+
+    return struct(
+        get = lambda index_url, versions: _get_from_facts(
+            facts,
+            known_facts,
+            index_url,
+            versions,
+            facts_version,
+        ),
+        setdefault = lambda url, value: _store_facts(facts, facts_version, url, value),
+        known_facts = known_facts,
+        facts = facts,
+    )
+
+def _get_from_facts(facts, known_facts, index_url, requested_versions, facts_version):
+    if known_facts.get("fact_version") != facts_version:
+        # cannot trust known facts, different version that we know how to parse
+        return None
+
+    known_sources = {}
+
+    root_url, _, distribution = index_url.rstrip("/").rpartition("/")
+    distribution = distribution.rstrip("/")
+    root_url = root_url.rstrip("/")
+
+    for url, sha256 in known_facts.get("dist_hashes", {}).get(root_url, {}).get(distribution, {}).items():
+        filename = known_facts.get("dist_filenames", {}).get(root_url, {}).get(distribution, {}).get(sha256)
+        if not filename:
+            _, _, filename = url.rpartition("/")
+
+        version = version_from_filename(filename)
+        if version not in requested_versions:
+            # TODO @aignas 2026-01-21: do the check by requested shas at some point
+            # We don't have sufficient info in the lock file, need to call the API
+            #
+            continue
+
+        if filename.endswith(".whl"):
+            dists = known_sources.setdefault("whls", {})
+        else:
+            dists = known_sources.setdefault("sdists", {})
+
+        known_sources.setdefault("sha256s_by_version", {}).setdefault(version, []).append(sha256)
+
+        dists.setdefault(sha256, struct(
+            sha256 = sha256,
+            filename = filename,
+            version = version,
+            url = url,
+            yanked = known_facts.get("dist_yanked", {}).get(root_url, {}).get(distribution, {}).get(sha256, ""),
+        ))
+
+    if not known_sources:
+        # We found nothing in facts
+        return None
+
+    output = struct(
+        whls = known_sources.get("whls", {}),
+        sdists = known_sources.get("sdists", {}),
+        sha256s_by_version = known_sources.get("sha256s_by_version", {}),
+    )
+
+    # Persist these facts for the next run because we have used them.
+    return _store_facts(facts, facts_version, index_url, output)
+
+def _store_facts(facts, fact_version, index_url, value):
+    """Store values as facts in the lock file.
+
+    The main idea is to ensure that the lock file is small and it is only storing what
+    we would need to fetch from the internet. Any derivative information we can
+    from this that can be achieved using pure Starlark functions should be done in
+    Starlark.
+    """
+    if not value:
+        return value
+
+    facts["fact_version"] = fact_version
+
+    root_url, _, distribution = index_url.rstrip("/").rpartition("/")
+    distribution = distribution.rstrip("/")
+    root_url = root_url.rstrip("/")
+
+    for sha256, d in (value.sdists | value.whls).items():
+        facts.setdefault("dist_hashes", {}).setdefault(root_url, {}).setdefault(distribution, {}).setdefault(d.url, sha256)
+        if not d.url.endswith(d.filename):
+            facts.setdefault("dist_filenames", {}).setdefault(root_url, {}).setdefault(distribution, {}).setdefault(d.url, d.filename)
+        if d.yanked:
+            facts.setdefault("dist_yanked", {}).setdefault(root_url, {}).setdefault(distribution, {}).setdefault(sha256, d.yanked)
+
+    return value