Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(manager/pip-compile): add full support for lock files #26814

Closed
wants to merge 10 commits into from
Closed

feat(manager/pip-compile): add full support for lock files #26814

wants to merge 10 commits into from

Conversation

not7cd
Copy link
Contributor

@not7cd not7cd commented Jan 23, 2024

Changes

As this is a draft PR, the list below is a planned scope.

  • Extract dependencies from lock files, as only requirements.in is handled at the moment.
  • Run pip-compile --upgrade-package for indirect dependencies that exist only in requirements.txt.
    • Bundle updates to lock file and run a single command if grouped.
  • Better command extraction handling. Allow for CUSTOM_COMPILE_COMMAND if it doesn't obstruct original arguments. See Feature request: pip-compile support #24725 (reply in thread)
  • Handle other pip-compile arguments, pass them without change as to not change command in the header.

Context

Support for pip-compile is partial. It doesn't parse lock files like other implemented managers do. In turn it will ignore updates for dependencies in the lock file. It also "eats" arguments extracted from header in the lock file, for example when --no-emit-index-url is dropped, this is very undesirable as PIP_INDEX_URL can contain secrets like HTTP passwords. Lastly hard-coded pip-compile command doesn't allow for CUSTOM_COMPILE_COMMAND, and will not allow for setups that require docker containers that have system depenencies pre-installed.

Discussion 2018-2022: #24725

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@rarkins
Copy link
Collaborator

rarkins commented Jan 23, 2024
edited

Hi @not7cd thanks very much for taking a shot at this! One thing I'd like to say though is that design decisions or review are better done in issues and not inline with PRs. Could you summarize your design decisions in #24725 so we can discuss there?

This includes some fundamental decisions such as how to map pip compile concepts to Renovate concepts (and whether any new concepts need adding), e.g. should the file.in be considered "package file" and the file.out be "lock file"? Should Renovate update individual requirements in file.out or only from file.in? etc

@not7cd
Copy link
Contributor Author

not7cd commented Jan 23, 2024
edited

Thanks for quick response @rarkins. I need to figure out what Renovate concepcts are. And this draft PR is a way to do it. I have already added one comment about package file discovery based on lock files.
#24725 (comment)

@not7cd
Comments
3cbc36d
@not7cd
Use dummy Commander() for command parsing
e54e6e1 
this method may have short legs, as it is a lossy operation. Good for option and args extraction needed for source file discovery.
@not7cd
Target source files based on lock file command
b49d2d6
@not7cd
Copy link
Contributor Author

not7cd commented Jan 25, 2024

Dropped in favour of #26858

@not7cd not7cd closed this Jan 25, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@not7cd @rarkins