diff --git a/build_files/build_environment/CMakeLists.txt b/build_files/build_environment/CMakeLists.txt index 4b8b154b5f8..e565fec1303 100644 --- a/build_files/build_environment/CMakeLists.txt +++ b/build_files/build_environment/CMakeLists.txt @@ -75,6 +75,7 @@ include(cmake/cython.cmake) include(cmake/numpy.cmake) include(cmake/zstandard.cmake) include(cmake/python_site_packages.cmake) +include(cmake/python_site_packages_binary.cmake) include(cmake/package_python.cmake) include(cmake/openimageio.cmake) include(cmake/usd.cmake) diff --git a/build_files/build_environment/cmake/package_python.cmake b/build_files/build_environment/cmake/package_python.cmake index 75cb8cb7057..9ee32608f1a 100644 --- a/build_files/build_environment/cmake/package_python.cmake +++ b/build_files/build_environment/cmake/package_python.cmake @@ -48,6 +48,7 @@ if(MSVC) external_python external_numpy external_python_site_packages + external_python_site_packages_binary external_zstandard external_cython OUTPUT @@ -97,6 +98,7 @@ if(MSVC) external_python external_numpy external_python_site_packages + external_python_site_packages_binary external_zstandard external_cython OUTPUT diff --git a/build_files/build_environment/cmake/python_binary_requirements.txt.in b/build_files/build_environment/cmake/python_binary_requirements.txt.in new file mode 100644 index 00000000000..511106696ef --- /dev/null +++ b/build_files/build_environment/cmake/python_binary_requirements.txt.in @@ -0,0 +1 @@ +@PYTHON_BINARY_REQUIREMENTS_CONTENT@ \ No newline at end of file diff --git a/build_files/build_environment/cmake/python_site_packages_binary.cmake b/build_files/build_environment/cmake/python_site_packages_binary.cmake new file mode 100644 index 00000000000..808a6529f73 --- /dev/null +++ b/build_files/build_environment/cmake/python_site_packages_binary.cmake @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2025 Blender Authors +# +# SPDX-License-Identifier: GPL-2.0-or-later + +configure_file(${CMAKE_SOURCE_DIR}/cmake/python_binary_requirements.txt.in ${CMAKE_BINARY_DIR}/python_binary_requirements.txt @ONLY) + + +# `--require-hashes` accomplishes 2 things for us +# +# - it forces us to supply hashses and versions for all packages installed protecting against supply chain attacks +# - if during a version bump any deps gain additional deps, these won't be in our requirements file, thus miss the hashes for those deps +# and an error will occur alerting us to this situation. + +ExternalProject_Add(external_python_site_packages_binary + DOWNLOAD_COMMAND "" + CONFIGURE_COMMAND "" + BUILD_COMMAND "" + PREFIX ${BUILD_DIR}/site_packages + + INSTALL_COMMAND ${PYTHON_BINARY} -m pip install --no-cache-dir -r ${CMAKE_BINARY_DIR}/python_binary_requirements.txt + --require-hashes + --only-binary :all: +) + +add_dependencies( + external_python_site_packages_binary + external_python +) diff --git a/build_files/build_environment/cmake/versions.cmake b/build_files/build_environment/cmake/versions.cmake index 702455df28a..7e87e641ecc 100644 --- a/build_files/build_environment/cmake/versions.cmake +++ b/build_files/build_environment/cmake/versions.cmake @@ -396,6 +396,55 @@ set(OPENVDB_HOMEPAGE http://www.openvdb.org/) set(OPENVDB_LICENSE SPDX:MPL-2.0) set(OPENVDB_COPYRIGHT "Copyright Contributors to the OpenVDB Project") +# ------------------------------------------------------------------------------ +# Python Binary Modules +# as these are binary packages, and they will differ from platform to platform we will have to +# specify a hash per platform, this is cumberome but there's really no way around that. Hopefully +# these packages will not update too often. + +set(PYDANTIC_VERSION 2.11.7) +set(PYDANTIC_HASH_ANY sha256:dde5df002701f6de26248661f6835bbe296a47bf73990135c7d07ce741b9623b) + +set(ANNOTATED_TYPES_VERSION 0.7.0) +set(ANNOTATED_TYPES_HASH_ANY sha256:1f02e8b43a8fbbc3f3e0d4f0f4bfc8131bcb4eebe8849b8e5c773f3a1c582a53) + +set(PYDANTIC_CORE_VERSION 2.33.2) +set(PYDANTIC_CORE_HASH_WIN_X64 sha256:1e063337ef9e9820c77acc768546325ebe04ee38b08703244c1309cccc4f1bab) +set(PYDANTIC_CORE_HASH_WIN_ARM sha256:6b99022f1d19bc32a4c2a0d544fc9a76e3be90f0b3f4af413f87d38749300e65) +set(PYDANTIC_CORE_HASH_MAC_ARM sha256:e799c050df38a639db758c617ec771fd8fb7a5f8eaaa4b27b101f266b216a246) +set(PYDANTIC_CORE_HASH_LNX_X64 sha256:881b21b5549499972441da4758d662aeea93f1923f953e9cbaff14b8b9565aef) + +set(TYPING_EXTENSIONS_VERSION 4.14.0) +set(TYPING_EXTENSIONS_HASH_ANY sha256:a1514509136dd0b477638fc68d6a91497af5076466ad0fa6c338e44e359944af) + +set(TYPING_INSPECTION_VERSION 0.4.1) +set(TYPING_INSPECTION_HASH_ANY sha256:389055682238f53b04f7badcb49b989835495a96700ced5dab2d8feae4b26f51) + +if(WIN32) + if(BLENDER_PLATFORM_ARM) + set(PYTHON_BINARY_PLATFORM WIN_ARM) + else() + set(PYTHON_BINARY_PLATFORM WIN_X64) + endif() +elseif(APPLE) + set(PYTHON_BINARY_PLATFORM MAC_ARM) +elseif(UNIX) + set(PYTHON_BINARY_PLATFORM LNX_X64) +endif() + +# +# This variable is used by configure_file inside python_site_packages_binary, arguably this could +# likely belong more in that file than it does in versions.cmake, however, having it here keeps +# all version related data in a single place. +# +set(PYTHON_BINARY_REQUIREMENTS_CONTENT +"pydantic==${PYDANTIC_VERSION} --hash=${PYDANTIC_HASH_ANY} +annotated-types==${ANNOTATED_TYPES_VERSION} --hash=${ANNOTATED_TYPES_HASH_ANY} +pydantic-core==${PYDANTIC_CORE_VERSION} --hash=${PYDANTIC_CORE_HASH_${PYTHON_BINARY_PLATFORM}} +typing-extensions==${TYPING_EXTENSIONS_VERSION} --hash=${TYPING_EXTENSIONS_HASH_ANY} +typing-inspection==${TYPING_INSPECTION_VERSION} --hash=${TYPING_INSPECTION_HASH_ANY} +") + # ------------------------------------------------------------------------------ # Python Modules