feat: Automate Python Wheel Build And Release

[jac0626]

feat: Automate Python Wheel Builds and Optimize Dependencies

This PR modernizes the Python packaging process by introducing a fully automated CI/CD pipeline to build
and publish wheels, while also optimizing the binary dependencies.

Key Changes:

• Automated Wheel Builds: Implemented a new GitHub Actions workflow using cibuildwheel to create manylinux
  wheels for x86_64 and aarch64 architectures. The workflow automatically publishes to TestPyPI on pushes
  to main and to the official PyPI when a new release is created.
• Modernized Packaging: Migrated the build system to use pyproject.toml (following PEP 517/518 standards),
  replacing the previous setup.py-based scripts for a more robust and reliable process.

---

Note for Maintainers: Required Secrets

To enable the new automated publishing workflow (build_release_wheel.yml), the following secrets must be
added to the repository's settings under Settings > Secrets and variables > Actions:

• PYPI_API_TOKEN: The API token for publishing packages to the official PyPI repository. This is used when
  a new release is published.
• TEST_PYPI_API_TOKEN: The API token for the TestPyPI repository, used for testing the release process on
  pushes to main.

These secrets are essential for the workflow to publish packages automatically. For more details, please
see the GitHub documentation on creating secrets
(https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).

Future work should include adding build support for Windows and macOS
close #1020

Summary by Sourcery

Modernize and automate the Python packaging workflow by replacing setup.py with a pyproject.toml-based build, adding CMake support for static MKL linking, and implementing a GitHub Actions pipeline with cibuildwheel to build and publish manylinux wheels across multiple architectures.

New Features:

• Automate wheel building and publishing for x86_64 and aarch64 using GitHub Actions and cibuildwheel
• Migrate packaging to PEP 517/518 with pyproject.toml and dynamic versioning via setuptools_scm
• Reduce runtime mkl dependencies and wheel size
• Add build_cpp_for_cibw.sh to configure, build, strip, and package Python extension modules for cibuildwheel

Enhancements:

• Simplify setup.py to minimal extension declaration and remove legacy packaging logic
• Enhance CMakeLists to detect Python executables, emit configuration messages, and apply static linking flags for the Python module
• Remove obsolete Makefile and build scripts in favor of the new CI/CD pipeline

CI:

• Introduce a build_release_wheel GitHub Actions workflow to build wheels, upload artifacts, and publish to TestPyPI and PyPI based on branch or release events

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[sourcery-ai]

Reviewer's Guide

This PR implements a complete CI/CD workflow for building and publishing manylinux Python wheels via GitHub Actions and cibuildwheel, migrates Python packaging to PEP 517/518 with pyproject.toml, and refactors the CMake infrastructure to support static MKL linking and enhanced Python bindings.

Sequence diagram for automated wheel publishing on release

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant PyPI as PyPI
    Dev->>GH: Create new release
    GH->>GH: Build wheels (cibuildwheel)
    GH->>GH: Upload artifacts
    GH->>PyPI: Publish wheels (using PYPI_API_TOKEN)
    PyPI-->>GH: Success/Failure response
    GH-->>Dev: Notify of publish result

Loading

Sequence diagram for automated wheel publishing on push to main (TestPyPI)

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant TestPyPI as TestPyPI
    Dev->>GH: Push to main branch
    GH->>GH: Build wheels (cibuildwheel)
    GH->>GH: Upload artifacts
    GH->>TestPyPI: Publish wheels (using TEST_PYPI_API_TOKEN)
    TestPyPI-->>GH: Success/Failure response
    GH-->>Dev: Notify of publish result

Loading

Class diagram for the updated Python packaging structure

classDiagram
    class pyvsag {
        <<package>>
        _pyvsag*.so
        _version.py
    }
    class pyproject.toml {
        build-system
        project
        tool.setuptools
        tool.setuptools_scm
        tool.cibuildwheel
    }
    pyvsag <.. pyproject.toml : defined in

Loading

File-Level Changes

Change	Details	Files
Automate wheel builds and releases	Add GitHub Actions workflow for matrix builds, TestPyPI and PyPI publishing Configure cibuildwheel via pyproject.toml for manylinux x86_64 and aarch64 Introduce build_cpp_for_cibw.sh to orchestrate CMake build and artifact handling Remove legacy Makefile target and obsolete build scripts	.github/workflows/build_release_wheel.yml python/pyproject.toml scripts/build_cpp_for_cibw.sh Makefile scripts/build_pyvsag_multiple_version.sh
Migrate packaging to pyproject.toml	Eliminate setup.py content in favor of PEP 517/518 build-system section Define project metadata, dependencies, package data, and dynamic versioning in toml Integrate setuptools_scm for version management	python/setup.py python/pyproject.toml
Refactor CMake for static MKL linking	Implement dynamic search paths and break loops upon first match Link MKL and OpenMP statically using .a libraries and linker flags Provide clear status messages and graceful fallback to OpenBLAS	extern/mkl/mkl.cmake
Enhance Python binding configuration in CMake	Allow custom Python executable overrides and verbose interpreter discovery Add static linking flags for _pyvsag extension Emit detailed build status messages for Python version and output naming	CMakeLists.txt

Possibly linked issues

• Build and publish Python packages for ARM64 (aarch64) #1020: The PR automates the build and release of pyvsag Python wheels, directly fulfilling the issue's requirement for automated pip install pyvsag support.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Blocking issues:

• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
• An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)

Prompt for AI Agents

Please address the comments from this code review:
## Individual Comments

### Comment 1
<location> `extern/mkl/mkl.cmake:56` </location>
<code_context>
+        message(FATAL_ERROR "Could not find Intel MKL in standard locations; use -DMKL_PATH to specify the install location")
+    endif()
+
+    if(NOT MKL_INCLUDE_PATH)
+        message(WARNING "Could not find MKL headers, continuing without include path")
+    endif()
</code_context>

<issue_to_address>
Build continues with a warning if MKL headers are missing.

If MKL headers are required, consider treating their absence as a fatal error. Otherwise, clearly document what functionality will be unavailable when headers are missing.

Suggested implementation:

```
    if(NOT MKL_INCLUDE_PATH)
        message(FATAL_ERROR "Could not find MKL headers. MKL headers are required for building MKL-dependent functionality. Please specify the header location with -DMKL_INCLUDE_PATH.")
    endif()

```

If MKL headers are optional, use:
message(WARNING "Could not find MKL headers. MKL-dependent functionality will be disabled. Specify the header location with -DMKL_INCLUDE_PATH to enable full MKL support.")
and ensure the rest of the build system disables or excludes MKL-dependent features when headers are missing.
</issue_to_address>

### Comment 2
<location> `extern/mkl/mkl.cmake:63` </location>
<code_context>
+
+    
+    link_directories(${MKL_PATH})
+    if(OMP_PATH)
+        link_directories(${OMP_PATH})
+    endif()
</code_context>

<issue_to_address>
OMP_PATH is now optional for linking.

If OMP_PATH is unset, please ensure the build system checks for OpenMP availability or falls back to system libraries to prevent runtime errors.

Suggested implementation:

```


    link_directories(${MKL_PATH})
    if(OMP_PATH)
        link_directories(${OMP_PATH})
    else()
        find_package(OpenMP)
        if(OpenMP_FOUND)
            message(STATUS "OpenMP found: ${OpenMP_C_FLAGS}")
            # Link OpenMP libraries if found
            if(TARGET OpenMP::OpenMP_CXX)
                set(OPENMP_LIBRARIES OpenMP::OpenMP_CXX)
            elseif(OpenMP_CXX_LIBRARIES)
                set(OPENMP_LIBRARIES ${OpenMP_CXX_LIBRARIES})
            elseif(OpenMP_C_LIBRARIES)
                set(OPENMP_LIBRARIES ${OpenMP_C_LIBRARIES})
            endif()
        else()
            message(WARNING "OMP_PATH not set and OpenMP not found; build may fail or run without OpenMP support")
        endif()
    endif()

```

You may need to ensure that `${OPENMP_LIBRARIES}` is actually linked to your targets later in your CMake configuration, e.g., using `target_link_libraries(your_target ${OPENMP_LIBRARIES})`. Adjust as needed for your project's structure.
</issue_to_address>

### Comment 3
<location> `extern/mkl/mkl.cmake:95` </location>
<code_context>
-    message ("enable intel-mkl as blas backend")
-else ()
+
+    add_compile_options(-m64)
+    
+   
</code_context>

<issue_to_address>
Explicitly adds -m64 compile option.

Consider applying -m64 only when the target architecture is 64-bit to avoid compatibility issues on platforms that require 32-bit builds or lack support for this flag.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
+    add_compile_options(-m64)
+    
+   
=======
+    # Add -m64 only if building for 64-bit architecture
+    if(CMAKE_SIZEOF_VOID_P EQUAL 8)
+        add_compile_options(-m64)
+    endif()
>>>>>>> REPLACE

</suggested_fix>

### Comment 4
<location> `scripts/build_cpp_for_cibw.sh:119` </location>
<code_context>
+    echo "Found libvsag.so at: $LIBVSAG_SO"
+    
+    
+    if ldd "$PYVSAG_CPYTHON_SO" 2>/dev/null | grep -q "libvsag.so.*=> not found"; then
+        echo "libvsag.so not in standard path, copying to package"
+        strip --strip-unneeded "$LIBVSAG_SO" || true
</code_context>

<issue_to_address>
Script checks for missing libvsag.so and copies it if needed.

If multiple libvsag.so versions exist, the script may not select the correct one. Match the version or build timestamp to avoid inconsistencies.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
LIBVSAG_SO=$(find $CMAKE_BUILD_DIR -name "libvsag.so*" -type f | head -n1)

if [ -n "$LIBVSAG_SO" ]; then
    echo "Found libvsag.so at: $LIBVSAG_SO"


    if ldd "$PYVSAG_CPYTHON_SO" 2>/dev/null | grep -q "libvsag.so.*=> not found"; then
        echo "libvsag.so not in standard path, copying to package"
        strip --strip-unneeded "$LIBVSAG_SO" || true
        cp "$LIBVSAG_SO" python/pyvsag/
    else

        strip --strip-unneeded "$LIBVSAG_SO" || true
        echo "libvsag.so is accessible, letting auditwheel handle it"
    fi
fi
=======
# Find all libvsag.so* files and select the most recently modified one
LIBVSAG_SO=$(find "$CMAKE_BUILD_DIR" -name "libvsag.so*" -type f -printf "%T@ %p\n" | sort -nr | head -n1 | awk '{print $2}')

if [ -n "$LIBVSAG_SO" ]; then
    echo "Selected libvsag.so for packaging: $LIBVSAG_SO"

    if ldd "$PYVSAG_CPYTHON_SO" 2>/dev/null | grep -q "libvsag.so.*=> not found"; then
        echo "libvsag.so not in standard path, copying to package"
        strip --strip-unneeded "$LIBVSAG_SO" || true
        cp "$LIBVSAG_SO" python/pyvsag/
    else
        strip --strip-unneeded "$LIBVSAG_SO" || true
        echo "libvsag.so is accessible, letting auditwheel handle it"
    fi
fi
>>>>>>> REPLACE

</suggested_fix>

## Security Issues

### Issue 1
<location> `.github/workflows/build_release_wheel.yml:31` </location>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Issue 2
<location> `.github/workflows/build_release_wheel.yml:110` </location>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

### Issue 3
<location> `.github/workflows/build_release_wheel.yml:143` </location>

<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Build continues with a warning if MKL headers are missing.

If MKL headers are required, consider treating their absence as a fatal error. Otherwise, clearly document what functionality will be unavailable when headers are missing.

Suggested implementation:

    if(NOT MKL_INCLUDE_PATH)
        message(FATAL_ERROR "Could not find MKL headers. MKL headers are required for building MKL-dependent functionality. Please specify the header location with -DMKL_INCLUDE_PATH.")
    endif()

If MKL headers are optional, use:
message(WARNING "Could not find MKL headers. MKL-dependent functionality will be disabled. Specify the header location with -DMKL_INCLUDE_PATH to enable full MKL support.")
and ensure the rest of the build system disables or excludes MKL-dependent features when headers are missing.

[sourcery-ai]

suggestion (bug_risk): OMP_PATH is now optional for linking.

If OMP_PATH is unset, please ensure the build system checks for OpenMP availability or falls back to system libraries to prevent runtime errors.

Suggested implementation:

    link_directories(${MKL_PATH})
    if(OMP_PATH)
        link_directories(${OMP_PATH})
    else()
        find_package(OpenMP)
        if(OpenMP_FOUND)
            message(STATUS "OpenMP found: ${OpenMP_C_FLAGS}")
            # Link OpenMP libraries if found
            if(TARGET OpenMP::OpenMP_CXX)
                set(OPENMP_LIBRARIES OpenMP::OpenMP_CXX)
            elseif(OpenMP_CXX_LIBRARIES)
                set(OPENMP_LIBRARIES ${OpenMP_CXX_LIBRARIES})
            elseif(OpenMP_C_LIBRARIES)
                set(OPENMP_LIBRARIES ${OpenMP_C_LIBRARIES})
            endif()
        else()
            message(WARNING "OMP_PATH not set and OpenMP not found; build may fail or run without OpenMP support")
        endif()
    endif()

You may need to ensure that ${OPENMP_LIBRARIES} is actually linked to your targets later in your CMake configuration, e.g., using target_link_libraries(your_target ${OPENMP_LIBRARIES}). Adjust as needed for your project's structure.

[sourcery-ai]

suggestion: Explicitly adds -m64 compile option.

Consider applying -m64 only when the target architecture is 64-bit to avoid compatibility issues on platforms that require 32-bit builds or lack support for this flag.

Suggested change

	add_compile_options(-m64)
	+ # Add -m64 only if building for 64-bit architecture
	+ if(CMAKE_SIZEOF_VOID_P EQUAL 8)
	+ add_compile_options(-m64)
	+ endif()

[sourcery-ai]

suggestion (bug_risk): Script checks for missing libvsag.so and copies it if needed.

If multiple libvsag.so versions exist, the script may not select the correct one. Match the version or build timestamp to avoid inconsistencies.

Suggested change

	LIBVSAG_SO=$(find $CMAKE_BUILD_DIR -name "libvsag.so*" -type f | head -n1)
	if [ -n "$LIBVSAG_SO" ]; then
	echo "Found libvsag.so at: $LIBVSAG_SO"
	if ldd "$PYVSAG_CPYTHON_SO" 2>/dev/null | grep -q "libvsag.so.*=> not found"; then
	echo "libvsag.so not in standard path, copying to package"
	strip --strip-unneeded "$LIBVSAG_SO" || true
	cp "$LIBVSAG_SO" python/pyvsag/
	else
	strip --strip-unneeded "$LIBVSAG_SO" || true
	echo "libvsag.so is accessible, letting auditwheel handle it"
	fi
	fi
	# Find all libvsag.so* files and select the most recently modified one
	LIBVSAG_SO=$(find "$CMAKE_BUILD_DIR" -name "libvsag.so*" -type f -printf "%T@ %p\n" | sort -nr | head -n1 | awk '{print $2}')
	if [ -n "$LIBVSAG_SO" ]; then
	echo "Selected libvsag.so for packaging: $LIBVSAG_SO"
	if ldd "$PYVSAG_CPYTHON_SO" 2>/dev/null | grep -q "libvsag.so.*=> not found"; then
	echo "libvsag.so not in standard path, copying to package"
	strip --strip-unneeded "$LIBVSAG_SO" || true
	cp "$LIBVSAG_SO" python/pyvsag/
	else
	strip --strip-unneeded "$LIBVSAG_SO" || true
	echo "libvsag.so is accessible, letting auditwheel handle it"
	fi
	fi

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep

[sourcery-ai]

security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: opengrep

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@            Coverage Diff             @@
##             main    #1064      +/-   ##
==========================================
+ Coverage   91.43%   92.00%   +0.56%     
==========================================
  Files         317      312       -5     
  Lines       18956    18889      -67     
==========================================
+ Hits        17333    17378      +45     
+ Misses       1623     1511     -112     

Flag	Coverage Δ
cpp	92.00% <ø> (+0.56%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
common	91.48% <ø> (ø)
datacell	93.03% <ø> (+0.49%)	⬆️
index	90.81% <ø> (+0.57%)	⬆️
simd	100.00% <ø> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9148850...9743e6c. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

re review

[jac0626]

https://pypi.org/project/pyvsag-test-jc/ this is the test wheels uploaded by my test branch

[wxyucs]

Hi @jac0626, thanks for your contribution. This change is large, so I need more time to review and validate it.

[wxyucs]

@LHT129 @ShawnShawnYou, please review changes in this file to make sure it's correct for the library packaging (include our internal usage)

[wxyucs]

Add comments that start with ##. so that we can use the make help command to show the command list.

[jac0626]

done

[wxyucs]

add a newline at EOF

[jac0626]

done

[wxyucs]

Add a newline at EOF

[jac0626]

done

[wxyucs]

Add a newline at EOF

[wxyucs]

add a newline at EOF

[jac0626]

done

[wxyucs]

add a newline at EOF

[jac0626]

done

[wxyucs]

use <space> instead of <tab>, and keep the comments aligned in make help output.

[wxyucs]

ditto

[wxyucs]

remove this blank line, keep only one blank line between statements

[wxyucs]

remove these blank lines, make VARS definitions together

[wxyucs]

ditto