This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: pip-compile support #2334
Comments
Interesting. This would probably correspond to our concept of “lock file maintenance” but in this case we consider |
Yes, but as Also reasonable default values for the conf-dict would probably be
Enabling the tool without specifying in/out files would then result in the tool being run without any arguments/flags. |
I think I’d define this as a new manager called Majority of the other logic would be calling functions in |
(We're using dependabot but we'd like options, and renovate has come highly recommended...) We use pip-compile, and currently our only choice in this space (I think?) is Dependabot.
It's (much) more complicated than that - .txt is a lockfile in this scenario, it contains the whole dependency tree, not just the direct dependencies. Essentially, you change the .in file as required, then run pip-compile over it to generate the .txt file. For a usefully limited PR for package X, you'd probably want to then filter the .txt file diff to limit the PR to just the dependencies of package X, because pip-compile will otherwise update everything at once. A common pip-compile workflow is to have multiple pairs of files:
... which have to be compiled in a specific order. So when updating a dependency mentioned in base.in, you'd want to first compile base.in to produce base.txt, and then compile production.in to produce production.txt. pip-compile has recently added direct support for dependent requirements via the This workflow is described in the first 1/3 of https://jamescooke.info/a-successful-pip-tools-workflow-for-managing-python-package-requirements.html Our current addition to this for our tooling is the |
@craigds thank you for the detailed description.
Could this be achieved using Regarding ordering, I'm thinking that Renovate could determine the required ordering by parsing/understanding the |
It would be great if you or anyone in this thread could build up an example repo along the lines described:
|
Looks like it, yes, though I haven't used that option myself.
yes, that'd be amazing 👍 note that |
@rarkins see https://github.com/twslade/renovatebot-pip-tools-example In the directory structure you listed above, there is a pip-compile --output-file local.txt base.in local.in |
I suppose... The problem with that is:
|
But I guess it'd be great if renovatebot could handle both styles :) |
Thanks, I was thinking the same thing. If the ordering of execution matters then it's essential that there is a standardized way for the bot to be able to extract and determine that. The |
This comment has been minimized.
This comment has been minimized.
I think this issue should be labeled with |
Hmm, we took out language labels for now to resize how many labels we had in the repo. Need to think whether to reintroduce them or remove that doc link |
no reason, no. We used a list file just because it was trivial for us to implement, but renovate can be smarter than that.
not sure how to interpret this; this ticket definitely seems not-done :) |
pip-compile is more and more popular in the current python world. We are eager for this in renovate. |
Renovate has evolved a bit since this was originally requested, so I wanted to recap.
|
Hello @rarkins! We also want pip-compile support in renovate to finally move from dependabot.
What if the input files are also named
Maybe some parameter like Our workflow is pretty complex, but I wanted to give an additional example for the implementation to be better. Let me know if I can help with moving this forward, I am not so good in JS/TS but can assist with Python-related questions. Thank you |
How/where is the relationship between Update: Seems like you have a proprietary build script which is linked to.
This is already done in Renovate e.g. for Poetry and Pipenv. Ideally there would be a convention within the repository for defining the required Python version, but failing that we do have the ability to configure it.
Ideally this is also specified within the repository. However wouldn't it be possible to use the logic "if the existing output file has hashes, then use
The biggest barrier to starting this is the large number of edge cases and advanced uses listed in this issue. This discourages anyone from starting implementation because it gives the impression "don't even try this unless you've got a few weeks to think through all the cases listed here". If someone can define what a minimum viable implementation looks like then it would help overcome that barrier. I think if we had a base implementation which satisfied 80%+ of use cases then it would also make it easier to break down the remaining 10-20% of use cases into more "bite sized" chunks of functionality which can be implemented one by one. By the way this also illustrates the downside of package managers which are high on flexibility and/or low on convention. Everyone does things a different ways, needs to have custom shell scripts, etc. |
It seems to me that pip-compile doesn't supply enough information to infer the relationships between the a. support e. (d), but stick it in the repo as a basic separate file (not in renovate-specific config) I wonder if (e) might be of interest as a pull request to pip-tools. Then it might be more widely useful and also reduce the pip-compile specific code in renovate. I've commented at jazzband/pip-tools#1435 (comment) to that effect. [0] (I haven't seen this in the wild, not sure of details here. Could we just require an |
Thank you for the analysis. I'm inexperienced with the majority of package manager tools we support - because we support so many - but have built up some rules of thumb and instincts over time as to what I think is best. Nearly always it's best for package manager settings to be explicit and committed in the repo. For example with npm, it's better to have settings in .npmrc than flags in a Makefile or package.json script commands. Complicating Renovate config with manager-specific settings which are duplicated from elsewhere is also undesirable and can lead to a lack of single source of truth. Final rule of thumb is that some managers allow a lot of flexibility and such managers always have a subset of users who insist on their right to complicated flexibility without acknowledging that it makes automation tools difficult to impossible. In such cases we need to at least find a middle ground. Here it seems that the embedded pip-compile command in the output file would work very well for us to reverse engineer the input(s), but it's blocked from working when the env variable is in use. Still, I'd like that to be our next implementation approach and work from there. |
Keep in mind that even setup.py is considered a valid source and that the real input file may be another file. It would be delusional to believe that renovate can parse these reliably. For example I use pip-compile to produce constraint.txt files, not real reqs (more limited syntax). As I stated previously the only sustainable way to this is to use input file patterns that trigger user configured command that updates a set of (output) files. That logic applies not only for pip-compile but for other deps too. Yep, running generic commands can raise some security concerns but in the end I am sure that most of the tools can easily hacked to do inject deliberate commands anyway. As long these run in isolated environments (containers) it should not be an issue. Using tox, make or even a bash script is not uncommon. I am glad I found this bug before starting to effectively use renovate in production. |
The future of dependency management is explicit, declarative configuration files - ideally static. Systems so complex that people feel the need to warn of their complexity or lack of parseability will be marginalized over time by other tools which separate out the static declaration of dependencies from other functionality which requires scripting and interpretation. PEP621 is a good sign for Python in this regard. I'm confident we can have a good solution for |
I definitely agree with your sentiments about To be clear, the reason I want the header is that my environment is packaged in a container. So updating the requirements file is not sufficient. Obviously if push comes to shove I can just let people know X is how you update the file(s), but you still need to run Y in order to rebuild your container to pull in the requirements you just adjusted. Aside from updating the container everything is simple pip commands so if that's what ends up showing in the file that's not that big of a deal. |
@rarkins Is there already some documentation regarding the current level of support? |
Ah, thank you. PS: It still looks as if the Python page could need an update (maybe it could just link to the supported managers). |
Hi @rarkins! pip-tools 6.2.0 has been released and it has included deterministic ordering of packages (to match pip-freeze ones) and writing python version to the header comment. So it now looks like so:
It should be good enough to parse and extract python version to use.
|
Hi, could you describe more about:
Is it contained within the I had preferred that we don't need unnecessary or duplicated config in Renovate if we can avoid it. Hence I was hoping that the |
Hi!
I mean the
then if we do upgrade b to 2.0.0, without that fix it would then do:
With this change it will leave the order of dependencies in output files the same |
Update on this: I plan to work on making it work better in the following weeks (sorry, no exact time range, if someone can pick it up and implement it I will help during review and testing). I would add a new config option to the pip-compile manager: something like That way we also don't need to change existing pip-requirements behaviour much: files without any version constraints can be left unregistered with Wasn't there a use case where pip-compile can take multiple inputs? Yes there is, but I think it can be solved without complications. |
Any progress on this? |
Maybe someone finds this useful, but the workaround for now we did in our company: renovate.json
config.js
|
Good one, I am using docker instead, since the version of Python on renovate is 3.10. |
You don't need to run renovate as root for DinD, our helm chart works fine without root |
This - in fact - is a nice approach but sadly limited at some point, e.g. when you need to pin a requirement to a specific version. We use Using the As we fight with a lot dependencies we tend to bulk upgrade packages, so instead of passing each update individually to "commands": [
"pip install pip-compile-multi && cd backend && bash update_requirements_txt.sh {{#each upgrades}}--upgrade-package={{{depName}}}=={{{newVersion}}} {{/each}}"
], (We use some wrapper script around Package upgrades passed to This leads to pull requests that contain package upgrades that either are not allowed and therefore not in the real commit and maybe - did not verify yet - to incompatible package constellations as they might not be parsed against the pinned versions. So for the moment, I am pretty stuck. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Cool project!
It would be nice with support for the pip-tools
pip-compile
command (basically creating lock files with pip dependencies from specification files)Proposed solution
If it's possible a solution could be to simply allow defining arbitrary lock-file commands if containerization is good enough so that it doesn't pose a security issue (haven't looked at any of the code, so no idea of how the project currently works).
Otherwise something like
would probably be a good configuration that runs the command
pip-compile [--outputfile <outFile>] [<inFile>]
.The text was updated successfully, but these errors were encountered: