chore: require hashes when installing dependencies in owlbot postproc…

…essor job (#1691) (#355) * chore: install dependencies through requirements file Source-Link: googleapis/synthtool@35f4cba Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-java:latest@sha256:821ab7aba89af2c7907e29297bba024d4cd5366d0684e5eb463391cdf4edc9ee Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
googleapis · Nov 4, 2022 · 16322b8 · 16322b8
1 parent 98b9085
commit 16322b8
Show file tree

Hide file tree

Showing 8 changed files with 495 additions and 55 deletions.
diff --git a/.github/.OwlBot.lock.yaml b/.github/.OwlBot.lock.yaml
@@ -13,4 +13,4 @@
 # limitations under the License.
 docker:
   image: gcr.io/cloud-devrel-public-resources/owlbot-java:latest
-  digest: sha256:8175681a918181d306d9c370d3262f16b4c724cc73d74111b7d42fc985ca7f93
+  digest: sha256:821ab7aba89af2c7907e29297bba024d4cd5366d0684e5eb463391cdf4edc9ee
diff --git a/.kokoro/dependencies.sh b/.kokoro/dependencies.sh
@@ -57,54 +57,3 @@ retry_with_backoff 3 10 \
     -Dclirr.skip=true
 
 mvn -B dependency:analyze -DfailOnWarning=true
-
-echo "****************** DEPENDENCY LIST COMPLETENESS CHECK *******************"
-## Run dependency list completeness check
-function completenessCheck() {
-  # Output dep list with compile scope generated using the original pom
-  # Running mvn dependency:list on Java versions that support modules will also include the module of the dependency.
-  # This is stripped from the output as it is not present in the flattened pom.
-  # Only dependencies with 'compile' or 'runtime' scope are included from original dependency list.
-  msg "Generating dependency list using original pom..."
-  mvn dependency:list -f pom.xml -DincludeScope=runtime -Dsort=true | grep '\[INFO]    .*:.*:.*:.*:.*' | sed -e 's/ --.*//' >.org-list.txt
-
-  # Output dep list generated using the flattened pom (only 'compile' and 'runtime' scopes)
-  msg "Generating dependency list using flattened pom..."
-  mvn dependency:list -f .flattened-pom.xml -DincludeScope=runtime -Dsort=true | grep '\[INFO]    .*:.*:.*:.*:.*' >.new-list.txt
-
-  # Compare two dependency lists
-  msg "Comparing dependency lists..."
-  diff .org-list.txt .new-list.txt >.diff.txt
-  if [[ $? == 0 ]]
-    then
-      msg "Success. No diff!"
-  else
-    msg "Diff found. See below: "
-    msg "You can also check .diff.txt file located in $1."
-    cat .diff.txt
-    return 1
-  fi
-}
-
-# Allow failures to continue running the script
-set +e
-
-error_count=0
-for path in **/.flattened-pom.xml
-do
-  # Check flattened pom in each dir that contains it for completeness
-  dir=$(dirname "$path")
-  pushd "$dir"
-  completenessCheck "$dir"
-  error_count=$(($error_count + $?))
-  popd
-done
-
-if [[ $error_count == 0 ]]
-then
-  msg "All checks passed."
-  exit 0
-else
-  msg "Errors found. See log statements above."
-  exit 1
-fi
diff --git a/.kokoro/release/publish_javadoc.sh b/.kokoro/release/publish_javadoc.sh
@@ -28,7 +28,7 @@ fi
 pushd $(dirname "$0")/../../
 
 # install docuploader package
-python3 -m pip install gcp-docuploader
+python3 -m pip install --require-hashes -r .kokoro/requirements.txt
 
 # compile all packages
 mvn clean install -B -q -DskipTests=true

diff --git a/.kokoro/release/publish_javadoc11.sh b/.kokoro/release/publish_javadoc11.sh
@@ -28,7 +28,7 @@ fi
 pushd $(dirname "$0")/../../
 
 # install docuploader package
-python3 -m pip install gcp-docuploader
+python3 -m pip install --require-hashes -r .kokoro/requirements.txt
 
 # compile all packages
 mvn clean install -B -q -DskipTests=true

diff --git a/.kokoro/release/stage.sh b/.kokoro/release/stage.sh
@@ -16,7 +16,8 @@
 set -eo pipefail
 
 # Start the releasetool reporter
-python3 -m pip install gcp-releasetool
+requirementsFile=$(realpath $(dirname "${BASH_SOURCE[0]}")/../requirements.txt)
+python3 -m pip install --require-hashes -r $requirementsFile
 python3 -m releasetool publish-reporter-script > /tmp/publisher-script; source /tmp/publisher-script
 
 source $(dirname "$0")/common.sh

diff --git a/.kokoro/requirements.in b/.kokoro/requirements.in
@@ -0,0 +1,33 @@
+gcp-docuploader==0.6.3
+google-crc32c==1.3.0
+googleapis-common-protos==1.56.3
+gcp-releasetool==1.8.7
+cachetools==4.2.4
+cffi==1.15.1
+jeepney==0.7.1
+jinja2==3.0.3
+markupsafe==2.0.1
+keyring==23.4.1
+packaging==21.3
+protobuf==3.19.5
+pyjwt==2.4.0
+pyparsing==3.0.9
+pycparser==2.21
+pyperclip==1.8.2
+python-dateutil==2.8.2
+requests==2.27.1
+certifi==2022.9.24
+importlib-metadata==4.8.3
+zipp==3.6.0
+google_api_core==2.8.2
+google-cloud-storage==2.0.0
+google-resumable-media==2.3.3
+google-cloud-core==2.3.1
+typing-extensions==4.1.1
+urllib3==1.26.12
+zipp==3.6.0
+rsa==4.9
+six==1.16.0
+attrs==22.1.0
+google-auth==2.11.0
+idna==3.4
diff --git a/.kokoro/requirements.txt b/.kokoro/requirements.txt
diff --git a/renovate.json b/renovate.json
@@ -10,6 +10,7 @@
     ":maintainLockFilesDisabled",
     ":autodetectPinVersions"
   ],
+  "ignorePaths": [".kokoro/requirements.txt"],
   "packageRules": [
     {
       "packagePatterns": [