serve pre-built wheels via a static PEP 503 index

[adeebshihadeh]

Replaces the release-* shim-branch mechanism with a standard package index, generated from the wheels we already publish to GitHub Releases and served from GitHub Pages:

https://commaai.github.io/dependencies/simple/

How it works

• make_index.py lists all GitHub Releases and writes a PEP 503 "simple" index whose links point at the release wheel assets, with #sha256= fragments taken from the release asset digests (no wheel downloads needed).
• release.sh regenerates the full index after publishing wheels and force-pushes it to gh-pages (same pattern as the shim branches). Regeneration is stateless and covers every release ever made, so old lockfiles keep resolving.
• The index is already deployed and live (Pages source switched from the stale releases branch, which served 404s, to gh-pages).

Consumer side (openpilot)

dependencies = ["capnproto==1.0.1"]

[[tool.uv.index]]
name = "comma-dependencies"
url = "https://commaai.github.io/dependencies/simple/"
explicit = true

[tool.uv.sources]
capnproto = { index = "comma-dependencies" }

vs. the shim approach: no git clones, no setup.py build step downloading wheels with zero hash verification, real sha256 pins in uv.lock, and no more uv cache clean dance since versions are immutable tags instead of force-pushed branches. Verified end-to-end: uv and plain pip both resolve and install from the live index (incl. the bare linux_x86_64 tag), capnproto smoketest passes.

The release-* shim branches are still published for now; once openpilot is migrated they can be deleted along with _shim_setup.py in a follow-up.

🤖 Generated with Claude Code