feat: add package metadata for wheel libraries

MODULE.bazel

@@ -6,8 +6,9 @@ module(
 
 bazel_dep(name = "bazel_features", version = "1.21.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.2")
-bazel_dep(name = "rules_cc", version = "0.1.5")
+bazel_dep(name = "package_metadata", version = "0.0.6")
 bazel_dep(name = "platforms", version = "0.0.11")
+bazel_dep(name = "rules_cc", version = "0.1.5")
 
 # Those are loaded only when using py_proto_library
 # Use py_proto_library directly from protobuf repository

python/private/pypi/generate_whl_library_build_bazel.bzl

@@ -41,6 +41,12 @@ _TEMPLATE = """\
 
 package(default_visibility = ["//visibility:public"])
 
+package_metadata(
+    name = "package_metadata",
+    purl = {purl},
+    visibility = ["//:__subpackages__"],
+)
+
 {fn}(
 {kwargs}
 )
@@ -50,6 +56,7 @@ def generate_whl_library_build_bazel(
         *,
         annotation = None,
         default_python_version = None,
+        purl = None,
         **kwargs):
     """Generate a BUILD file for an unzipped Wheel
 
@@ -63,7 +70,10 @@ def generate_whl_library_build_bazel(
         A complete BUILD file as a string
     """
 
-    loads = []
+    loads = [
+        """load("@package_metadata//rules:package_metadata.bzl", "package_metadata")""",
+    ]
+
     if kwargs.get("tags"):
         fn = "whl_library_targets"
 
@@ -132,6 +142,7 @@ def generate_whl_library_build_bazel(
                     "{} = {},".format(k, _RENDER.get(k, repr)(v))
                     for k, v in sorted(kwargs.items())
                 ])),
+                purl = repr(purl),
             ),
         ] + additional_content,
     )

python/private/pypi/whl_library.bzl

@@ -297,6 +297,16 @@ def _extract_whl_py(rctx, *, python_interpreter, args, whl_path, environment, lo
         logger = logger,
     )
 
+def _to_purl(metadata):
+    """
+    Produce a PyPI PURL from the metadata.
+
+    https://github.com/package-url/purl-spec/blob/main/types-doc/pypi-definition.md
+    """
+    # https://github.com/package-url/purl-spec/blob/main/types-doc/pypi-definition.md#name-definition
+    name = metadata.name.replace("_", "-").lower()
+    return "pkg:pypi/{}@{}".format(name, metadata.version)
+
 def _whl_library_impl(rctx):
     logger = repo_utils.logger(rctx)
     python_interpreter = pypi_repo_utils.resolve_python_interpreter(
@@ -476,6 +486,7 @@ def _whl_library_impl(rctx):
             group_name = rctx.attr.group_name,
             namespace_package_files = namespace_package_files,
             extras = requirement(rctx.attr.requirement).extras,
+            purl = _to_purl(metadata),
         )
     else:
         metadata = json.decode(rctx.read("metadata.json"))
@@ -526,14 +537,21 @@ def _whl_library_impl(rctx):
                 "pypi_version={}".format(metadata["version"]),
             ],
             namespace_package_files = namespace_package_files,
+            purl = _to_purl(metadata),
         )
 
     # Delete these in case the wheel had them. They generally don't cause
     # a problem, but let's avoid the chance of that happening.
     rctx.file("WORKSPACE")
     rctx.file("WORKSPACE.bazel")
     rctx.file("MODULE.bazel")
-    rctx.file("REPO.bazel")
+    rctx.file("REPO.bazel", """\
+repo(
+    default_package_metadata = [
+        "//:package_metadata",
+    ],
+)
+""")
 
     paths = list(rctx.path(".").readdir())
     for _ in range(10000000):