[python-package] use PEP 639 license metadata, bump toscikit-build-core>=0.11.0, use hatchling instead of setuptools

[jameslamb]

Fixes #6665
Replaces #6681

This project uses setuptools when building a Python wheel with a pre-compiled lib_lightgbm.{dll,dylib,so}, like this:

cmake -B build -S .
cmake --build build --target _lightgbm
sh build-python.sh install --precompile

That's helpful for users building with customizations (like the MPI version), and that pattern used in all the TASK=regular CI jobs here.

For a few months, that's been raising warnings about license metadata, warning that a new setuptools in February 2026 may turn those warnings into errors.

warning text (click me)

Warnings below from a recent regular job (build link)

/tmp/build-env-vhotg1gp/lib/python3.13/site-packages/setuptools/config/_apply_pyprojecttoml.py:82: SetuptoolsDeprecationWarning: `project.license` as a TOML table is deprecated
!!

        ********************************************************************************
        Please use a simple string containing a SPDX expression for `project.license`. You can also use `project.license-files`. (Both options available on setuptools>=77.0.0).

        By 2026-Feb-18, you need to update your project and remove deprecated calls
        or your builds will no longer be supported.

        See https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license for details.
        ********************************************************************************

!!
  corresp(dist, value, root_dir)
/tmp/build-env-vhotg1gp/lib/python3.13/site-packages/setuptools/config/_apply_pyprojecttoml.py:61: SetuptoolsDeprecationWarning: License classifiers are deprecated.
!!

        ********************************************************************************
        Please consider removing the following classifiers in favor of a SPDX license expression:

        License :: OSI Approved :: MIT License

        See https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license for details.
        ********************************************************************************

!!
  dist._finalize_license_expression()
/tmp/build-env-vhotg1gp/lib/python3.13/site-packages/setuptools/dist.py:759: SetuptoolsDeprecationWarning: License classifiers are deprecated.
!!

        ********************************************************************************
        Please consider removing the following classifiers in favor of a SPDX license expression:

        License :: OSI Approved :: MIT License

        See https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license for details.
        ********************************************************************************

!!
  self._finalize_license_expression()

This resolves those warnings with following changes:

• updating the way license metadata is spelled
• moving the floor on scikit-build-core to the earliest version that supported PEP 639 (v0.11.0)
• switching from setuptools to hatchling

I found those specific floors while doing something similar for RAPIDS projects: rapidsai/build-planning#152

Benefits of these changes

• prevents builds from being broken with newer setuptools this year
  • including on conda-forge, which has similar warnings because the lightgbm feedstock patches in setuptools as the build backed (conda-forge/lightgbm-feedstock code link)
• permanently fixes [python-package] UNKNOWN python package #6665 and reduces the risk of it happening in the future (details below)
• pulls in fixes, performance improvements, etc. in newer scikit-build-core
• makes it easier for security and compliance scanners to extract license data from lightgbm installations

Notes for Reviewers

Why scikit-build-core>=0.11.0?

Tat's the first version that support PEP 639 license metadata.

I recently updated all of RAPIDS to that version (rapidsai/build-planning#152) and didn't encounter any problems, so I think it's safe.

why switch to hatchling? how does that affect portability?

hatchling makes --precompile builds of lightgbm more portable and more backwards-compatible than the current setup with setuptools 😁

hatchling is a pure Python package (just a py3-none-any wheel), so it doesn't bring any new constraints on GLIBC version, CPU architecture, or operating system.

It also avoids these setuptools-specific problems:

• setuptools being system-installed on some linux distributions as a hard requirement of pip (see [python-package] UNKNOWN python package #6665, especially [python-package] UNKNOWN python package #6665 (comment))
• setuptools sometimes being declared as a runtime dependency of lightgbm's depenendencies
  • example: older pandas packages on conda-forge have a runtime dependency on setuptools<60
  • build with some environment conflicts caused by that: (link)

For these --precompile builds, we only need very very simple Python packaging: create a zip archive out of a directory and write the appropriate wheel metadata. No compiler flags, handling of symlinks, other configuration for sdists, etc.

This is a long-term fix for #6665, replacing #6681 😁 (see #6665 (comment))

why hatchling>=1.27.0 specifically?

hatchling==1.27.0 was the final version to support Python 3.9 (pypa/hatch#2097), the oldest Python lightgbm supports.

[jameslamb]

With hatchling we have tighter control over package contents, so --precompile can build a wheel 😁

[jameslamb]

If this echo is portable enough, then we can avoid using --find-links in pip.

Not strictly related to the rest of this change, but just something else I noticed that could help with building from source using build-python.sh.

[jameslamb]

setuptools was only helpful here because it gets system installed by apt-get install python-pip on Ubuntu, and so needed to be upgraded.

Any other build-time requirements (like scikit-build-core) don't need to be separately installed by default, because they'll be set up in pip's isolated build environment.

[jameslamb]

Test like this:

$ sh build-python.sh install
...
[INFO] 'install' passed but no package type ('bdist_wheel', 'sdist') chosen. Defaulting to 'bdist_wheel'.
[INFO] --- building wheel ---
* Creating isolated environment: venv+pip...
* Installing packages in isolated environment:
  - scikit-build-core>=0.11.0
* Getting build dependencies for wheel...
* Building wheel...
...
Successfully built lightgbm-4.6.0.99-py3-none-macosx_14_0_arm64.whl
[INFO] --- installing lightgbm ---
Processing ./dist/lightgbm-4.6.0.99-py3-none-macosx_14_0_arm64.whl
Installing collected packages: lightgbm
  Attempting uninstall: lightgbm
    Found existing installation: lightgbm 4.6.0.99
    Uninstalling lightgbm-4.6.0.99:
      Successfully uninstalled lightgbm-4.6.0.99
Successfully installed lightgbm-4.6.0.99

[jameslamb]

python3-venv is required because now these commands build a wheel (not an sdist), with build isolation.

Found that in testing on Ubuntu 22.04: #6665 (comment)

[jameslamb]

Using heredocs for readability. See this old review thread: #6681 (comment)

[borchero]

Nice! Big fan of hatchling ;)

[jameslamb]

Thanks @borchero . Yeah I've started trying it out recently and am really liking it!

Inspired by pyOpenSci's write-up here: https://www.pyopensci.org/python-package-guide/package-structure-code/python-package-build-tools.html#about-hatch

(cc @ucodery @lwasser thanks 😊)