Align development requirements with Tidelift's Security-advised PyPI catalog

[aclark4life]

FYI I'm going to be setting up a GitHub Action for Tidelift for this:

• https://support.tidelift.com/hc/en-us/articles/4406286307220-Using-with-Continuous-Integration

In the Tidelift parlance, we're going to make sure our development environment "aligns with Security-advised PyPI catalog". While it's obviously not critical that folks use the latest docutils to develop Pillow, it may be interesting to be able to say our development requirements "meet certain licensing, security or other standards". If nothing else, it will definitely help Tidelift as they try to improve "how lifters work with Tidelift and their subscribers". 👍

[aclark4life]

Done, pending merge of #5763

[hugovk]

https://support.tidelift.com/hc/en-us/articles/4406286154004 says of the type:

Whether it's used at runtime or development

The screenshot shows only runtime, but these are all for development (maybe excepting olefile, which is an optional dependency, but must be installed separately and we only install for testing).

Is there a way to mark them as development?

[aclark4life]

@hugovk I haven't considered doing it for runtime yet because to create a project on Tidelift, we need a requirements.txt file (or Pipfile) and all of our dependencies are in setup.py right? Not opposed to doing runtime … but this is a WIP.

[aclark4life]

@hugovk Should I put a conditional on this? Seems to be running a lot 😂 5c69dc7

[hugovk]

@hugovk I haven't considered doing it for runtime yet because to create a project on Tidelift, we need a requirements.txt file (or Pipfile) and all of our dependencies are in setup.py right? Not opposed to doing runtime … but this is a WIP.

Off the top of my head we don't have any required runtime dependencies (only optional).

@hugovk Should I put a conditional on this? Seems to be running a lot 😂 5c69dc7

What is the action actually doing? Gathering stats for the catalogue?

When do we want it to run? Is it something that should fail a PR if something needs doing? Or just need to run it occasionally, like when something is pushed to master, like a PR merge?

https://support.tidelift.com/hc/en-us/articles/4406286307220-Using-with-Continuous-Integration suggests every PR:

This action will run a check on every pull request to see if all of your dependencies are included in your catalog's approved release list.

What sort of failures can we expect, what action would I as a developer need to take if something failed?

[hugovk]

Maybe @JeffStern can help ^ with my questions :)

@aclark4life Maybe let's revert the action for now and put it in the PR as well? To make sure it's running properly and is also skipped for forks (i.e. avoid this https://github.com/hugovk/Pillow/actions/runs/1343212315). I'd especially like things running smoothly for tomorrow's release :) Starting tomorrow morning, Europe time.

[aclark4life]

@hugovk Sure go ahead