Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

uv version 0.4.23+ [[tool.uv.index]] option currently not supported #32265

Open
rarkins opened this issue Nov 1, 2024 Discussed in #32226 · 2 comments
Open

uv version 0.4.23+ [[tool.uv.index]] option currently not supported #32265

rarkins opened this issue Nov 1, 2024 Discussed in #32226 · 2 comments
Assignees
@mkniewallner
Labels
manager:pep621 Python pyproject.toml files priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others type:feature Feature (new functionality)

Comments

@rarkins
Copy link
Collaborator

rarkins commented Nov 1, 2024

Discussed in #32226

Originally posted by fdorssers October 30, 2024
Hi all, I'm using Renovate for a repo that uses uv with dependencies both from the normal pypi index, as well as a private artifactory index. At the moment Renovate does not recognize the index definition pyproject.toml.

In 0.4.23 (PR, docs) uv introduced the option to define your indices in pyproject.toml as follows:

[project]
name = "project-name"
...
dependencies = [
    "boto3==1.35.42",
    "my-private-package==1.2.3"
]

[[tool.uv.index]]
name = "<index_name>"
url = "<private_artifactory_url>"
explicit = true

[tool.uv.sources]
my-private-package= { index = "<index_name>" }

Where verification with the private source can be done with a username and password set as environment variables with the names:

UV_INDEX_<index_name>_USERNAME=...
UV_INDEX_<index_name>_PASSWORD=...

Currently, even when I provide these environment variables to renovate, it does not recognize the packages. Below some examples from the logs:

build	30-Oct-2024 13:34:35	DEBUG: GET https://pypi.org/pypi/my-private-package/json = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=151) (repository=...)

...

build	30-Oct-2024 13:34:36	DEBUG: GET https://pypi.org/pypi/my-private-package/ = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=369) (repository=...)
build	30-Oct-2024 13:34:36	DEBUG: Datasource 404 (repository=...)
build	30-Oct-2024 13:34:36	       "datasource": "pypi",
build	30-Oct-2024 13:34:36	       "packageName": "my-private-package",
build	30-Oct-2024 13:34:36	       "url": "https://pypi.org/project/my-private-package/"
build	30-Oct-2024 13:34:36	DEBUG: Failed to look up pypi package my-private-package (repository=..., packageFile=pyproject.toml, dependency=my-private-package)

...

ld	30-Oct-2024 13:34:41	               {
build	30-Oct-2024 13:34:41	                 "packageName": "my-private-package",
build	30-Oct-2024 13:34:41	                 "depName": "my-private-package",
build	30-Oct-2024 13:34:41	                 "datasource": "pypi",
build	30-Oct-2024 13:34:41	                 "depType": "project.dependencies",
build	30-Oct-2024 13:34:41	                 "currentValue": "==0.0.1",
build	30-Oct-2024 13:34:41	                 "currentVersion": "0.0.1",
build	30-Oct-2024 13:34:41	                 "lockedVersion": "0.0.1",
build	30-Oct-2024 13:34:41	                 "updates": [],
build	30-Oct-2024 13:34:41	                 "versioning": "pep440",
build	30-Oct-2024 13:34:41	                 "warnings": [
build	30-Oct-2024 13:34:41	                   {
build	30-Oct-2024 13:34:41	                     "topic": "my-private-package",
build	30-Oct-2024 13:34:41	                     "message": "Failed to look up pypi package my-private-package"
build	30-Oct-2024 13:34:41	                   }
build	30-Oct-2024 13:34:41	                 ]
build	30-Oct-2024 13:34:41	               },

This currently prevents Renovate from:

  1. Detecting updates for packages from the private index
  2. Creating the lockfile for the dependencies

A minimal reproduction repository showcasing index url extraction is available here.

@rarkins rarkins added type:feature Feature (new functionality) priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others manager:pep621 Python pyproject.toml files labels Nov 1, 2024
@timo-reymann
Copy link

timo-reymann commented Nov 5, 2024
edited
Loading

Following workaround works (not 100% clean):

{
  "packageRules": [
    {
      "matchPackageNames": [
        "private-package-name"
      ],
      "registryUrls": [
        "private-package-url"
      ]
    }
  ]
}

This will:

  • detect updates for the private packages
  • update the lock file accordingly

This will not:

  • Set the correct registry url in the uv.lock

Unfortunately, the lock file is getting “soft corrupted” by this (uv seems to still work with this as of 04.24).

Basically, the registry information in the lock file is set to the private registry for all packages. The sdist and wheel URLs seem to be untouched by this, so the lock itself is still valid.

This does not seem to affect the lock file itself, as uv lock does not touch the file again. (e.g., https://github.com/timo-reymann/renovate-uv-discussion-32226/pull/6/files).

Funnily enough, e.g., in the provided example, an update to boto3 would fix up the URLs again, keeping the private registry source. So it's kind of self-fixing?

EDIT: The messed up URL does not seem to appear all the time 🤷

@mkniewallner
Copy link
Contributor

Interested in working on this, so feel free to assign me to the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkniewallner mkniewallner

Labels
manager:pep621 Python pyproject.toml files priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others type:feature Feature (new functionality)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mkniewallner @rarkins @timo-reymann