Python private registry credentials support for pipenv

[maxromanovsky]

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

If you're self-hosting Renovate, select which platform you are using.

None

Was this something which used to work for you, and then stopped?

I never saw this working

Wanted end result.

Wanted end result

• Renovate can successfully update Pipfile and Pipfile.lock
• Renovate can use hostRules for pypi repo defined in Pipfile not only by exact hostname match, but also by matching protocol + hostname + path (i.e. baseUrl)

TL;DR

I want the following workflow to work:

• specify a [[source]] url in Pipfile containing username & password environment variable names for private repo
• provide these credentials (and specify hostRule with basePath to pypi repo) in renovate.json
• Mend Renovate should be able to create new PRs containing dependency version updates in Pipfile (new versions) and Pipfile.lock (new version metadata)

What happens under the hood

• If I specify hostRule with just a hostname as a value (i.e. w/o protocol and path), then pip can discover new version updates. That's why Pipfile is bein updated.
• However, second step (updating Pipfile.lock with all the hashes etc.) fails, because pipenv won't pick up credentials to authenticate and do it's magic
• Yet another issue (although not something that I currently experience) is that specifying hostRule w/o base path in my case might lead to other issues in case if there's need to retrieve packages from other pypi repo on the same hostname: this is a shared regional hostname for GCP artifact registry, and different GCP projects (or repos within the same project) will share it among themselves

How I think realistically (why realistically? because it might be considered suboptimal, but realistically speaking we can't expect changes in pipenv behaviour) this should work

• it's possible to specify baseUrl, username and password in hostRules for repos defined in Pipenv, where repo URL contains environment variables for username & password substitution
• baseUrl properly works for pip to discover updates
• username & password are also passed to pipenv to allow updates in lock file

One possible way for specifying it might be like this:

{
  "matchHost": "https://europe-west3-python.pkg.dev/gcp-project-foo-4242/gcp-pypi-repo-bar/simple/",
  "hostType": "pipenv",
  "username": "_json_key_base64",
  "encrypted": {
    "password": "pwd"
  },
  "env_var_username": "PYTHON_REPOSITORY_USERNAME",
  "env_var_password": "PYTHON_REPOSITORY_PASSWORD"
}

Highlights from the suggestion:

• matchHost contains base URL w/o authn credentials
• New pipenv hostType is introduced to denote change in behaviour
• env_var_username and env_var_password are introduced to pass credentials in environment (or .env file) to pipenv

This issue has been previously discussed, but nothing has been resolved yet:

• Python private registry support for pipenv #4487
• feat(pipenv): allow to inject custom env variables #9337

When I mentioned suboptimal pipenv behaviour, I meant it's way of defining pypi repo with env var substitution for credentials, but ignoring pip.conf, which has also been discussed, but with no resolution:

• pipenv doesn't respect pip.conf pypa/pipenv#856
• Allow pipenv to respect an external configuration to change the default pip mirror pypa/pipenv#1451
• Make pipenv respect pip.conf with an optional arugment pypa/pipenv#5710

I'd be happy to contribute changes myself :)

What you tried so far.

Given the following Pipfile:

[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"

[[source]]
url = "https://${PYTHON_REPOSITORY_USERNAME}:${PYTHON_REPOSITORY_PASSWORD}@europe-west3-python.pkg.dev/gcp-project-foo-4242/gcp-pypi-repo-bar/simple/"
verify_ssl = true
name = "privatedummy"

[requires]
python = "=3.11"

[packages]
numpy = "==1.25.2"

[dev-packages]
privatepkg = { version = "==0.0.1", index = "privatedummy" }

I tried specifying the following in hostRules[].matchHost:

value	Pipfile	Pipfile.lock
https://${PYTHON_REPOSITORY_USERNAME}:${PYTHON_REPOSITORY_PASSWORD}@europe-west3-python.pkg.dev/gcp-project-foo-4242/gcp-pypi-repo-bar/simple/	fail	fail
https://europe-west3-python.pkg.dev/gcp-project-foo-4242/gcp-pypi-repo-bar/simple/	fail	fail
europe-west3-python.pkg.dev/gcp-project-foo-4242	pass	fail

Relevant debug logs

Logs with successful `pip`, but failing `pipenv`

Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child --memory=3584m -v "/tmp/worker/b287e1/b486bf/repos/github/foo/renovate-test":"/tmp/worker/b287e1/b486bf/repos/github/foo/renovate-test" -v "/tmp/worker/b287e1/b486bf/cache":"/tmp/worker/b287e1/b486bf/cache" -e PIPENV_CACHE_DIR -e PIP_CACHE_DIR -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/b287e1/b486bf/repos/github/foo/renovate-test" ghcr.io/containerbase/sidecar:9.19.4 bash -l -c "install-tool python 3.11.5 && install-tool pipenv 2023.9.8 && pipenv lock"
Creating a virtualenv for this project...
Pipfile: /tmp/worker/b287e1/b486bf/repos/github/foo/renovate-test/Pipfile
Using default python from /opt/containerbase/tools/pipenv/2023.9.8/3.11/bin/python (3.11.5) to create virtualenv...
created virtual environment CPython3.11.5.final.0-64 in 754ms
  creator CPython3Posix(dest=/home/ubuntu/.local/share/virtualenvs/renovate-test-C-7WgYtK, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/home/ubuntu/.local/share/virtualenv)
    added seed packages: pip==23.2.1, setuptools==68.2.0, wheel==0.41.2
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator

✔ Successfully created virtual environment!
Virtualenv location: /home/ubuntu/.local/share/virtualenvs/renovate-test-C-7WgYtK
Locking [packages] dependencies...
Locking [dev-packages] dependencies...
False
CRITICAL:pipenv.patched.pip._internal.resolution.resolvelib.factory:Could not find a version that satisfies the requirement bar==0.0.6 (from versions: none)
[ResolutionFailure]:   File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/resolver.py", line 645, in _main
[ResolutionFailure]:       resolve_packages(
[ResolutionFailure]:   File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/resolver.py", line 612, in resolve_packages
[ResolutionFailure]:       results, resolver = resolve(
[ResolutionFailure]:       ^^^^^^^^
[ResolutionFailure]:   File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/resolver.py", line 592, in resolve
[ResolutionFailure]:       return resolve_deps(
[ResolutionFailure]:       ^^^^^^^^^^^^^
[ResolutionFailure]:   File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/utils/resolver.py", line 897, in resolve_deps
[ResolutionFailure]:       results, hashes, internal_resolver = actually_resolve_deps(
[ResolutionFailure]:       ^^^^^^^^^^^^^^^^^^^^^^
[ResolutionFailure]:   File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/utils/resolver.py", line 670, in actually_resolve_deps
[ResolutionFailure]:       resolver.resolve()
[ResolutionFailure]:   File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/utils/resolver.py", line 447, in resolve
[ResolutionFailure]:       raise ResolutionFailure(message=str(e))
[pipenv.exceptions.ResolutionFailure]: Warning: Your dependencies could not be resolved. You likely have a mismatch in your sub-dependencies.
  You can use $ pipenv run pip install <requirement_name> to bypass this mechanism, then run $ pipenv graph to inspect the versions actually installed in the virtualenv.
  Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: No matching distribution found for bar==0.0.6

Traceback (most recent call last):
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/bin/pipenv", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/cli/options.py", line 58, in main
    return super().main(*args, **kwargs, windows_expand_args=False)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/decorators.py", line 84, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/vendor/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/cli/command.py", line 340, in lock
    do_lock(
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/routines/lock.py", line 65, in do_lock
    venv_resolve_deps(
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/utils/resolver.py", line 838, in venv_resolve_deps
    c = resolve(cmd, st, project=project)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pipenv/2023.9.8/3.11/lib/python3.11/site-packages/pipenv/utils/resolver.py", line 707, in resolve
    raise RuntimeError("Failed to lock Pipfile.lock!")
RuntimeError: Failed to lock Pipfile.lock!

[rarkins]

Starting at the beginning: is Renovate looking up these private dependencies correctly and detecting updates? i.e. the step that's failing is after that when Renovate calls pipenv lock in order to update the Pipfile.lock.

I am confirming this because you wrote:

• Renovate can successfully update Pipfile and Pipfile.lock

But I'm assuming the Pipfile is updated and it's the Pipfile.lock which is not

[maxromanovsky]

@rarkins

is Renovate looking up these private dependencies correctly and detecting updates

Yes, it does, but only with "matchHost": "europe-west3-python.pkg.dev", which is coarse grained, given that there might be multiple pypi repos under the same hostname

But I'm assuming the Pipfile is updated and it's the Pipfile.lock which is not

That is correct

The issue is two-folded:

• lock file is not updated under any circumstances
• pip looks up private dependencies only if matchHost contains hostname only (w/o protocol & path)

[rarkins]

Please stick to one issue at a time. Which is best to solve first? If it's matchHost, please elaborate. I'm surprised if a https://...... approach in hostRules doesn't work, also surprised why it would be a problem to use the hostname instead. What problem does the "coarse grained" configuration cause - e.g. do you have multiple tokens for different packages on the same host?

[maxromanovsky]

Let's concentrate on one issue, agreed.
Major issue for me is Pipfile.lock not being updated.
I can elaborate on the second issue too, or I can create another discussion for it.

[rarkins]

Looking at Renovate's pipenv artifacts updating code, it doesn't look like there's any existing private registry support.

This looks to be Pipenv's support: https://pipenv.pypa.io/en/latest/credentials/

Their first suggestion is:

[[source]]
url = "https://$USERNAME:${PASSWORD}@mypypi.example.com/simple"
verify_ssl = true
name = "pypi"

One possibility would be for Renovate to populate env, as you're requesting, but at this point we haven't implemented a way to specify custom environment variables safely.

What I propose is to solve this with packageRules, simply like this:

{
  "matchHost": "https://europe-west3-python.pkg.dev/gcp-project-foo-4242/gcp-pypi-repo-bar/simple/",
  "hostType": "pipenv",
  "username": "_json_key_base64",
  "encrypted": {
    "password": "pwd"
  }
}

And then we employ logic prior to calling pipenv lock to look for this matchHost in the Pipfile and add or replace the username:password part with what's in the hostRules. What do you think?

[maxromanovsky]

@rarkins

We also could even support when the user has left off such env and add it ourselves.

I don't think it's necessary to support such approach, as again in this case it wouldn't be possible to pass credentials to pipenv without changing the Pipfile, and thus hashes as well.

Simplest approach: we support one such host, must be USERNAME and PASSWORD

TBH, simplest approach would work for me, as I need only one private repo.

It probably won't be generic enough to support other workflows and requirements, but I'll leave design questions to you. All in all, as I can see there's not much demand (at least expressed publicly via discussions or issues) for this functionality.

I wonder though why don't you want to allow users to specify explicitly what env variables to populate. In that case you won't need to implement that complex logic of guessing the right variables and right values (consider again that users might put FQDN and baseURL into matchHost).

But as I said, I'll leave that to you. My use case would be covered by supporting one host, and I can put either FQDN or baseURL into matchHost 😉

[rarkins]

I wonder though why don't you want to allow users to specify explicitly what env variables to populate.

Allowing arbitrary environment variables is a security risk.

[maxromanovsky]

Right, in this case a prefix can be appended, e.g. PIPENV_REPO_

[maxromanovsky]

@rarkins let me know if I can help you with this issue in any way

[rarkins]

I created feature request issue #24541

You're welcome to submit a PR according to that description

[maxromanovsky]

This has been resolved in #24581. One pipenv private repo is currently supported:
https://docs.renovatebot.com/getting-started/private-packages/#pipenv

Pipfile

[[source]]
url = "https://$USERNAME:${PASSWORD}@mypypi.example.com/simple"
verify_ssl = true
name = "pypi"

renovate.json

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "hostRules": [
    {
      "matchHost": "mypypi.example.com",
      "username": "<username>",
      "password": "<password>"
    }
  ]
}