feat(resolver): exempt top-level == pins from release cooldown

[LalatenduMohanty]

Summary

• Top-level requirements with == version pins now bypass release cooldown enforcement — the operator has explicitly chosen that version
• Transitive == pins remain subject to cooldown to prevent malicious packages from bypassing the check via pinned dependencies
• Safe default: callers that don't pass req_type still get full cooldown enforcement

Closes #1123

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements automatic release-age cooldown bypass for top-level requirements using exact version pins (==). The resolver now detects equality-pinned requirements, computes per-requirement cooldown aware of requirement type, and returns None (no cooldown) only for top-level == pins while enforcing cooldown for transitive dependencies. Source and wheel resolution providers pass requirement type through the cooldown resolution chain. Four test cases validate the exemption applies only to top-level ==, not transitive == or unpinned requirements. Documentation explains the exemption scope and marks the feature as implemented.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: exempting top-level == pins from release cooldown enforcement.
Linked Issues check	✅ Passed	All objectives from #1123 are met: top-level == pins bypass cooldown [#1123], transitive == pins remain enforced [#1123], and req_type defaults to full enforcement [#1123].
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing the release cooldown exemption feature; no unrelated modifications detected.
Description check	✅ Passed	The PR description clearly explains the changes: top-level == pins bypass cooldown, transitive == pins remain enforced, and safe defaults are maintained.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/fromager/resolver.py`:
- Around line 140-142: The helper _has_equality_pin currently treats any "=="
specifier as an exact pin; update it to only return True for true exact pins by
checking both spec.operator == "==" and that the spec's version contains no
wildcard characters (e.g., no '*' or patterns like '1.*'). In other words,
inside _has_equality_pin (working with the Requirement and its specifier
members), ensure you inspect spec.version (or str(spec)) and exclude specifiers
where '*' appears (or the version ends with '.*') so wildcard pins like "==1.*"
do not count as exact equality pins.

In `@tests/test_cooldown.py`:
- Around line 866-907: Add a new test that exercises the boundary case where a
top-level wildcard equality like Requirement("test-pkg==1.*") should NOT be
treated as an exact-pin exemption: call resolver.resolve_package_cooldown with
ctx from _make_ctx(tmp_path, cooldown=_COOLDOWN),
req_type=RequirementType.TOP_LEVEL and Requirement("test-pkg==1.*"), and assert
the returned value equals _COOLDOWN; place the test alongside the other
test_resolve_package_cooldown_* functions and name it something like
test_resolve_package_cooldown_toplevel_wildcard_equality_not_exempt to mirror
existing naming.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 44fe1182-608d-4129-aaa2-29b43592632d

📥 Commits

Reviewing files that changed from the base of the PR and between b5b31d9 and f234e1b.

📒 Files selected for processing (6)

• docs/how-tos/release-age-cooldown.rst
• docs/proposals/release-cooldown.md
• src/fromager/resolver.py
• src/fromager/sources.py
• src/fromager/wheels.py
• tests/test_cooldown.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that wildcard equality is parsed and currently matches operator "=="
python - <<'PY'
from packaging.requirements import Requirement
r = Requirement("test-pkg==1.*")
for s in r.specifier:
    print("operator=", s.operator, "version=", s.version)
PY

Repository: python-wheel-build/fromager

Length of output: 97

---

Exclude wildcard pins from == operator exemption

The function _has_equality_pin() currently exempts any requirement with == operator, including wildcards like ==1.*. This widens the cooldown bypass beyond exact pins and weakens the protection model.

Fix

 def _has_equality_pin(req: Requirement) -> bool:
     """Return True if the requirement contains an ``==`` version specifier."""
-    return any(spec.operator == "==" for spec in req.specifier)
+    return any(
+        spec.operator == "==" and "*" not in spec.version
+        for spec in req.specifier
+    )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/fromager/resolver.py` around lines 140 - 142, The helper
_has_equality_pin currently treats any "==" specifier as an exact pin; update it
to only return True for true exact pins by checking both spec.operator == "=="
and that the spec's version contains no wildcard characters (e.g., no '*' or
patterns like '1.*'). In other words, inside _has_equality_pin (working with the
Requirement and its specifier members), ensure you inspect spec.version (or
str(spec)) and exclude specifiers where '*' appears (or the version ends with
'.*') so wildcard pins like "==1.*" do not count as exact equality pins.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a boundary test for wildcard equality (==1.*)

These tests cover the core matrix well, but they don’t guard the exact-pin boundary. Add one case asserting top-level test-pkg==1.* does not bypass cooldown.

Suggested test

+def test_resolve_package_cooldown_toplevel_wildcard_equality_not_exempt(
+    tmp_path: pathlib.Path,
+) -> None:
+    """Top-level wildcard equality is not an exact pin, so cooldown remains active."""
+    ctx = _make_ctx(tmp_path, cooldown=_COOLDOWN)
+    result = resolver.resolve_package_cooldown(
+        ctx, Requirement("test-pkg==1.*"), req_type=RequirementType.TOP_LEVEL
+    )
+    assert result is _COOLDOWN

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_cooldown.py` around lines 866 - 907, Add a new test that exercises
the boundary case where a top-level wildcard equality like
Requirement("test-pkg==1.*") should NOT be treated as an exact-pin exemption:
call resolver.resolve_package_cooldown with ctx from _make_ctx(tmp_path,
cooldown=_COOLDOWN), req_type=RequirementType.TOP_LEVEL and
Requirement("test-pkg==1.*"), and assert the returned value equals _COOLDOWN;
place the test alongside the other test_resolve_package_cooldown_* functions and
name it something like
test_resolve_package_cooldown_toplevel_wildcard_equality_not_exempt to mirror
existing naming.