Add pyproject direct dependency lint

[JacobSzwejbka]

Summary

Add a lightweight lint job to the existing Lint workflow that rejects direct URL dependencies in pyproject.toml project metadata, such as pkg @ git+https://.... PyPI rejects these when uploading wheels, even behind optional extras.

Also remove the existing Cortex-M cmsis_nn @ git+... optional dependency from main pyproject metadata. The backend-specific source/dev requirement remains in backends/cortex_m/requirements-cortex-m.txt.

Test plan

• python3.11 scripts/lint_pyproject_dependencies.py pyproject.toml
• python3.11 .ci/scripts/tests/test_lint_pyproject_dependencies.py
• python3.11 -m py_compile scripts/lint_pyproject_dependencies.py .ci/scripts/tests/test_lint_pyproject_dependencies.py
• git diff --check
• verified the lint exits nonzero and emits a GitHub error annotation for a temporary bad pyproject containing bad @ git+https://example.com/repo.git@abc

Note: committed with --no-verify because this local environment cannot initialize lintrunner due to missing lintrunner_adapters; the focused checks above passed.

Authored with Claude.

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/19857

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

❗ 1 Active SEVs

There are 1 currently active SEVs. If your PR is affected, please view them below:

• /easycla is not responding

❌ 3 New Failures, 3 Unrelated Failures, 1 Unclassified Failure

As of commit 8de66e0 with merge base c8c04e4 ():

NEW FAILURES - The following jobs have failed:

• pull / unittest / linux / linux-job (gh)
  RuntimeError: Command docker exec -t 7560c5cdeb12f16c06cbac00765f8327f170519d052cd2e2ca0fde86a0ca072c /exec failed with exit code 1
• pull / unittest-editable / linux / linux-job (gh)
  RuntimeError: Command docker exec -t dc179a6f85783d86a2a8fbc4246a005de209944a74bbbc6bdd6f26ad770d68c4 /exec failed with exit code 1
• trunk / unittest-release / linux / linux-job (gh)
  RuntimeError: Command docker exec -t 9d5723fddb29d598e3378b7349deb495efbda3497f7de70810359f4b4f2ab7d5 /exec failed with exit code 1

UNCLASSIFIED FAILURE - DrCI could not classify the following job because the workflow did not run on the merge base. The failure may be pre-existing on trunk or introduced by this PR:

• Check Labels / Check labels (gh) (this job did not run on the merge base, so DrCI cannot tell whether the failure is pre-existing)
  RuntimeError: GraphQL query

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

• pull / unittest / macos / macos-job (gh) (trunk failure)
  ##[error]The operation was canceled.
• pull / unittest-editable / macos / macos-job (gh) (trunk failure)
  ##[error]The operation was canceled.
• trunk / unittest-release / macos / macos-job (gh) (trunk failure)
  ##[error]The operation was canceled.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[JacobSzwejbka]

cc @Erik-Lundell

[mergennachin]

For reference, this is a blocker for our pypi release

https://github.com/pytorch/test-infra/actions/runs/26598544666/job/78375864483

[digantdesai]

is there a dry-run publish? If yes, it might be catch-all for these issues.

[rascani]

FYI @Erik-Lundell - we had to rollback the cmsis-nn package dep because direct git deps are blocked by pypi (even if they are optional). Is it possible to get a cmsis-nn pypi package published?