feat(manager): no-emit-index-url in pip compile (#15367)

* feat(manager): no-emit-index-url in pip compile Add support for no-emit-index-url to avoid sharing confident credentials in the generated requirements.txt file. * chore: linting fixes * chore: update docs * chore: code review fixes Co-authored-by: Rhys Arkins <rhys@arkins.net> Co-authored-by: Michael Kriese <michael.kriese@visualon.de>

feat(manager): no-emit-index-url in pip compile (#15367)
30765fbd · Christoph Brand · GitHub · 75e76756 · 30765fbd · 30765fbd
Unverified Commit 30765fbd authored 2 years ago by Christoph Brand Committed by GitHub 2 years ago
--- a/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt
+++ b/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with python 3.9
 # To update, run:
 #
-#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements.txt requirements.in
 #
 attrs==21.2.0 \
    --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \

--- a/lib/modules/manager/pip-compile/artifacts.spec.ts
+++ b/lib/modules/manager/pip-compile/artifacts.spec.ts
@@ -182,7 +182,7 @@ describe('modules/manager/pip-compile/artifacts', () => {
          'subdir/requirements.txt'
        )
      ).toBe(
-        'pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in'
+        'pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements.txt requirements.in'
      );
    });

--- a/lib/modules/manager/pip-compile/artifacts.ts
+++ b/lib/modules/manager/pip-compile/artifacts.ts
@@ -47,6 +47,11 @@ function getPipToolsConstraint(config: UpdateArtifactsConfig): string {
 const constraintLineRegex = regEx(
  /^(#.*?\r?\n)+# {4}pip-compile(?<arguments>.*?)\r?\n/
 );
+const allowedPipArguments = [
+  '--allow-unsafe',
+  '--generate-hashes',
+  '--no-emit-index-url',
+];
 export function constructPipCompileCmd(
  content: string,
@@ -58,7 +63,7 @@ export function constructPipCompileCmd(
  if (headers?.groups) {
    logger.debug({ header: headers[0] }, 'Found pip-compile header');
    for (const argument of split(headers.groups.arguments)) {
-      if (['--allow-unsafe', '--generate-hashes'].includes(argument)) {
+      if (allowedPipArguments.includes(argument)) {
        args.push(argument);
      } else if (argument.startsWith('--output-file=')) {
        const file = upath.parse(outputFileName).base;

--- a/lib/modules/manager/pip-compile/readme.md
+++ b/lib/modules/manager/pip-compile/readme.md
@@ -47,3 +47,4 @@ Renovate reads the `requirements.txt` file and extracts these `pip-compile` argu
 - `--generate-hashes`
 - `--allow-unsafe`
+- `--no-emit-index-url`