Python private registry credentials support for pipenv #24394
-
How are you running Renovate?Mend Renovate hosted app on github.com If you're self-hosting Renovate, tell us what version of Renovate you run.No response If you're self-hosting Renovate, select which platform you are using.None Was this something which used to work for you, and then stopped?I never saw this working Wanted end result.Wanted end result
TL;DRI want the following workflow to work:
What happens under the hood
How I think realistically (why realistically? because it might be considered suboptimal, but realistically speaking we can't expect changes in pipenv behaviour) this should work
One possible way for specifying it might be like this: {
"matchHost": "https://europe-west3-python.pkg.dev/gcp-project-foo-4242/gcp-pypi-repo-bar/simple/",
"hostType": "pipenv",
"username": "_json_key_base64",
"encrypted": {
"password": "pwd"
},
"env_var_username": "PYTHON_REPOSITORY_USERNAME",
"env_var_password": "PYTHON_REPOSITORY_PASSWORD"
} Highlights from the suggestion:
This issue has been previously discussed, but nothing has been resolved yet:
When I mentioned suboptimal pipenv behaviour, I meant it's way of defining pypi repo with env var substitution for credentials, but ignoring
I'd be happy to contribute changes myself :) What you tried so far.Given the following [[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
name = "pypi"
[[source]]
url = "https://${PYTHON_REPOSITORY_USERNAME}:${PYTHON_REPOSITORY_PASSWORD}@europe-west3-python.pkg.dev/gcp-project-foo-4242/gcp-pypi-repo-bar/simple/"
verify_ssl = true
name = "privatedummy"
[requires]
python = "=3.11"
[packages]
numpy = "==1.25.2"
[dev-packages]
privatepkg = { version = "==0.0.1", index = "privatedummy" } I tried specifying the following in
Relevant debug logsLogs with successful `pip`, but failing `pipenv`
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 9 replies
-
Starting at the beginning: is Renovate looking up these private dependencies correctly and detecting updates? i.e. the step that's failing is after that when Renovate calls I am confirming this because you wrote:
But I'm assuming the Pipfile is updated and it's the Pipfile.lock which is not |
Beta Was this translation helpful? Give feedback.
-
Yes, it does, but only with
That is correct The issue is two-folded:
|
Beta Was this translation helpful? Give feedback.
-
Looking at Renovate's pipenv artifacts updating code, it doesn't look like there's any existing private registry support. This looks to be Pipenv's support: https://pipenv.pypa.io/en/latest/credentials/ Their first suggestion is:
One possibility would be for Renovate to populate env, as you're requesting, but at this point we haven't implemented a way to specify custom environment variables safely. What I propose is to solve this with packageRules, simply like this:
And then we employ logic prior to calling |
Beta Was this translation helpful? Give feedback.
-
This has been resolved in #24581. One pipenv private repo is currently supported:
[[source]]
url = "https://$USERNAME:${PASSWORD}@mypypi.example.com/simple"
verify_ssl = true
name = "pypi"
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"hostRules": [
{
"matchHost": "mypypi.example.com",
"username": "<username>",
"password": "<password>"
}
]
} |
Beta Was this translation helpful? Give feedback.
This has been resolved in #24581. One pipenv private repo is currently supported:
https://docs.renovatebot.com/getting-started/private-packages/#pipenv
Pipfile
renovate.json