feat: persist requirements.txt as a build artifact #284
Conversation
|
Actually… we probably want a python-package-template/Makefile Lines 83 to 85 in c754175 but we do not want these additional dependencies deployed to a production environment. The and not contain the |
Yes, agreed. SBOM will already container all the non-production dependencies. Maybe we should document this difference in the README.md file? |
|
I think this would work: But we have a race-condition here, I think. If between building the SBOM and building this new Should we build first for the requirements, and then add the additional dependencies after which should use the existing packages. We may want to disable the |
|
Before I forget: I think we could take a look at the
Considering that the production dependencies are a subset of the all-inclusive dependencies, step 3 ought to install the same packages as for step 1. Worth exploring, methinks 🤔 |
jenstroeger
force-pushed
the
requirements-as-artifact
branch
from
c8618b5
to
30e592c
Compare
|
I added a Then things get tricky, mainly because we still depend on the hashin tool until there’s a resolution to issue pip freeze with a hash (#4732). Basically, we want to generate a
To be honest, the changes to the ————— |
|
Hmm, I think we should consider replacing for pkg in `python -m pip freeze --local --disable-pip-version-check --exclude-editable`; do
echo -n $pkg;
[[ $pkg =~ (.*)==(.*) ]] && curl -s https://pypi.org/pypi/${BASH_REMATCH[1]}/json | python -c "import json, sys; print(''.join(f''' \\\\\n --hash=sha256:{pkg['digests']['sha256']}''' for pkg in json.load(sys.stdin)['releases']['${BASH_REMATCH[2]}']));";
donewhich, given an arbitrary venv, produces So this change works beautifully without any additional packages: diff --git a/Makefile b/Makefile
index 6e8c9a3..7e42191 100644
--- a/Makefile
+++ b/Makefile
@@ -113,9 +113,10 @@ sbom: requirements
requirements: requirements.txt
requirements.txt: pyproject.toml
echo -n "" > requirements.txt
- REQUIREMENTS=`python -m pip freeze --local --disable-pip-version-check --exclude-editable`; \
- python -m pip install hashin; \
- for pkg in $$REQUIREMENTS; do hashin --verbose --algorithm sha256 --include-prereleases $$pkg; done
+ for pkg in `python -m pip freeze --local --disable-pip-version-check --exclude-editable`; do \
+ echo -n $$pkg >> requirements.txt; \
+ [[ $$pkg =~ (.*)==(.*) ]] && curl -s https://pypi.org/pypi/$${BASH_REMATCH[1]}/json | python -c "import json, sys; print(''.join(f''' \\\\\n --hash=sha256:{pkg['digests']['sha256']}''' for pkg in json.load(sys.stdin)['releases']['$${BASH_REMATCH[2]}']));" >> requirements.txt; \
+ done
echo -e -n "package==$(PACKAGE_VERSION)" >> requirements.txt
if [ -f dist/package-$(PACKAGE_VERSION).tar.gz ]; then \
echo -e -n " \\\\\n `pip hash --algorithm sha256 dist/package-$(PACKAGE_VERSION).tar.gz | grep '^\-\-hash'`" >> requirements.txt; \ |
That's neat! I think it's worth to give it a go. We can change it back if it faces issues. |
Commit 3792ace. |
I think it makes sense to add the generated
requirements.txtfile as a permanent build artifact. While it duplicates information in the SBOM, it’s also useful for downstream actions to use—think of, for example, adocker.yamlwhich is triggered on release and which produces a Python application image using the pinned, generated requirements from the build.