{"id":13752208,"url":"https://github.com/kluctl/go-embed-python","last_synced_at":"2026-06-09T12:02:05.260Z","repository":{"id":59046640,"uuid":"532848929","full_name":"kluctl/go-embed-python","owner":"kluctl","description":"A library that provides an embedded python distribution to be usable from inside golang","archived":false,"fork":false,"pushed_at":"2026-06-09T08:55:30.000Z","size":1695709,"stargazers_count":340,"open_issues_count":10,"forks_count":32,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-06-09T09:26:26.892Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kluctl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-09-05T10:21:33.000Z","updated_at":"2026-06-09T08:51:51.000Z","dependencies_parsed_at":"2024-11-16T04:42:43.035Z","dependency_job_id":null,"html_url":"https://github.com/kluctl/go-embed-python","commit_stats":null,"previous_names":[],"tags_count":55,"template":false,"template_full_name":null,"purl":"pkg:github/kluctl/go-embed-python","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kluctl%2Fgo-embed-python","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kluctl%2Fgo-embed-python/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kluctl%2Fgo-embed-python/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kluctl%2Fgo-embed-python/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kluctl","download_url":"https://codeload.github.com/kluctl/go-embed-python/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kluctl%2Fgo-embed-python/sbom","scorecard":{"id":563654,"data":{"date":"2025-08-11","repo":{"name":"github.com/kluctl/go-embed-python","commit":"3add6ff1205b8e85960ed074177ecbc12786ae94"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.6,"checks":[{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":2,"reason":"Found 2/8 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/kluctl/go-embed-python/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/kluctl/go-embed-python/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/kluctl/go-embed-python/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/kluctl/go-embed-python/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/kluctl/go-embed-python/release.yml/main?enable=pin","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:132","Warn: jobLevel 'actions' permission set to 'write': .github/workflows/release.yml:133","Warn: no topLevel permission defined: .github/workflows/release.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-20T14:21:21.235Z","repository_id":59046640,"created_at":"2025-08-20T14:21:21.235Z","updated_at":"2025-08-20T14:21:21.235Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34105565,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-09T02:00:06.510Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T09:01:01.544Z","updated_at":"2026-06-09T12:02:05.242Z","avatar_url":"https://github.com/kluctl.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Embedded Python Interpreter for Go\n\nThis library provides an embedded distribution of Python, which should work out-of-the box on a selected set of\narchitectures and operating systems.\n\nThis library does not require CGO and solely relies on executing Python inside another process. It does not rely\non CPython binding to work. There is also no need to have Python pre-installed on the target host.\n\nYou really only have to depend on this library and invoke it as follows:\n\n```go\nimport (\n\t\"github.com/kluctl/go-embed-python/python\"\n\t\"os\"\n)\n\nfunc main() {\n\tep, err := python.NewEmbeddedPython(\"example\")\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tcmd, err := ep.PythonCmd(\"-c\", \"print('hello')\")\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tcmd.Stdout = os.Stdout\n\tcmd.Stderr = os.Stderr\n\terr = cmd.Run()\n\tif err != nil {\n\t\tpanic(err)\n\t}\n}\n```\n\n## Supported architectures\nThe following operating systems and architectures are supported:\n* darwin-amd64\n* darwin-arm64\n* linux-amd64\n* linux-arm64\n* windows-amd64\n\n## Releases\nReleases in this library are handled a bit different from what one might be used to. This library does currently not\nfollow a versioning schema comparable to sematic versioning. This might however change in the future.\n\nRight now, every tagged release is compromised of the Python interpreter version, the [python-standalone](https://github.com/astral-sh/python-build-standalone)\nand a build number. For example, the release version `v0.0.0-3.11.6-20241219-2` belongs to Python version 3.11.6, \nthe [20241219](https://github.com/astral-sh/python-build-standalone/releases/tag/20241219) version of python-standalone\nand build number 2. The release version currently always has v0.0.0 as its own version.\n\nThe way versioning is handled might result in popular dependency management tools (e.g. dependabot) to not work as you\nmight require it. Please watch out to not accidentally upgrade your Python version!\n\n## How it works\nThis library uses the standalone Python distributions found at https://github.com/astral-sh/python-build-standalone as\nthe base.\n\nThe `./hack/build-tag.sh` script is used to invoke `python/generate` and `pip/generate`, which then downloads, extracts\nand packages all supported Python distributions. The script then also creates a tag which then can be used as a dependency\nin your project.\n\nThe tagged release internally embed all Python sources and binaries via `//go:embed`. The `EmbeddedPython` object\nis then used as a helper utility to access the embedded distribution.\n\n`EmbeddedPython` is created via `NewEmbeddedPython`, which will extract the embedded distribution into a temporary folder.\nExtraction is optimized in a way that it is only executed when needed (by verifying integrity of previously extracted\ndistributions).\n\n## Upgrading python\nThe Python version and downloaded distributions are controlled via the `.github/workflows/release.yml` workflow. It\ncontains a matrix of supported distributions. To upgrade Python, edit this workflow and create a pull request.\n\n## Embedding Python libraries into your applications\nThis library provides utilities/helpers to allow embedding of external libraries into your own application.\n\nTo do this, create a simple generator application inside your application/library, for example in `internal/my-python-libs/generate/main.go`:\n\n```go\npackage main\n\nimport (\n\t\"github.com/kluctl/go-embed-python/pip\"\n)\n\nfunc main() {\n\terr := pip.CreateEmbeddedPipPackagesForKnownPlatforms(\"requirements.txt\", \"./data/\")\n\tif err != nil {\n\t\tpanic(err)\n\t}\n}\n```\n\nThen create add the `//go:generate go run ./generate` statement to a .go file above the generator source, e.g. in `internal/my-python-libs/dummy.go`:\n```\npackage internal\n\n//go:generate go run ./generate\n```\n\nAnd the requirements.txt in `internal/my-python-libs/requirements.txt`:\n```\njinja2==3.1.2\n```\n\nWhen running `go generate ./...` inside your application/library, you'll get the referenced Python libraries installed\nto `internal/my-python-libs/data`. The embedded data is then available via `data.Data` and can be passed to\n`embed_util.NewEmbeddedFiles()` for extraction.\n\nThe path returned by `EmbeddedFiles.GetExtractedPath()` can then be added to the `EmbeddedPython` by calling\n`AddPythonPath` on it.\n\nAn example of all this can be found in https://github.com/kluctl/go-jinja2\n\n# Why another go+python solution?\nThere are already multiple implementations of go-bindings for Python, which however all rely on CGO and/or dynamic\nlinking. I experimented a lot with these and was not able to make it stable enough so that I could use it without fear\nof the process crashing after some time. I even got to the point where I implemented my own dynamic library loader that\nwas not depending on CGO, but ultimately gave up when I realized that it would not work on all platforms.\n\nThe only solution that was left was to spawn a Python process and use some kind of inter-process communication. For this\nto work reliably, without any dependencies on the host system, it was required to embed a fully working Python\ndistribution into my Go binaries. I managed to make this flexible enough to put into a library so that others might\nbenefit as well.\n\nInitially, this approach/code was part of https://github.com/kluctl/kluctl to allow Jinja2 templates in Go. The Jinja2\npart can now be found in https://github.com/kluctl/go-jinja2.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkluctl%2Fgo-embed-python","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkluctl%2Fgo-embed-python","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkluctl%2Fgo-embed-python/lists"}