From 30765fbd1e8fb1dd30bb94baff1cb4eca943c58c Mon Sep 17 00:00:00 2001 From: Christoph Brand <christoph@brand.rest> Date: Wed, 4 May 2022 00:35:32 +0200 Subject: [PATCH] feat(manager): no-emit-index-url in pip compile (#15367) * feat(manager): no-emit-index-url in pip compile Add support for no-emit-index-url to avoid sharing confident credentials in the generated requirements.txt file. * chore: linting fixes * chore: update docs * chore: code review fixes Co-authored-by: Rhys Arkins <rhys@arkins.net> Co-authored-by: Michael Kriese <michael.kriese@visualon.de> --- .../pip-compile/__fixtures__/requirementsWithHashes.txt | 2 +- lib/modules/manager/pip-compile/artifacts.spec.ts | 2 +- lib/modules/manager/pip-compile/artifacts.ts | 7 ++++++- lib/modules/manager/pip-compile/readme.md | 1 + 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt b/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt index 38ca9ec1db..77b7f5716c 100644 --- a/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt +++ b/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt @@ -2,7 +2,7 @@ # This file is autogenerated by pip-compile with python 3.9 # To update, run: # -# pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in +# pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements.txt requirements.in # attrs==21.2.0 \ --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \ diff --git a/lib/modules/manager/pip-compile/artifacts.spec.ts b/lib/modules/manager/pip-compile/artifacts.spec.ts index efe029cc87..a78065efb7 100644 --- a/lib/modules/manager/pip-compile/artifacts.spec.ts +++ b/lib/modules/manager/pip-compile/artifacts.spec.ts @@ -182,7 +182,7 @@ describe('modules/manager/pip-compile/artifacts', () => { 'subdir/requirements.txt' ) ).toBe( - 'pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in' + 'pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements.txt requirements.in' ); }); diff --git a/lib/modules/manager/pip-compile/artifacts.ts b/lib/modules/manager/pip-compile/artifacts.ts index 7a7f8d098b..9eb6843a19 100644 --- a/lib/modules/manager/pip-compile/artifacts.ts +++ b/lib/modules/manager/pip-compile/artifacts.ts @@ -47,6 +47,11 @@ function getPipToolsConstraint(config: UpdateArtifactsConfig): string { const constraintLineRegex = regEx( /^(#.*?\r?\n)+# {4}pip-compile(?<arguments>.*?)\r?\n/ ); +const allowedPipArguments = [ + '--allow-unsafe', + '--generate-hashes', + '--no-emit-index-url', +]; export function constructPipCompileCmd( content: string, @@ -58,7 +63,7 @@ export function constructPipCompileCmd( if (headers?.groups) { logger.debug({ header: headers[0] }, 'Found pip-compile header'); for (const argument of split(headers.groups.arguments)) { - if (['--allow-unsafe', '--generate-hashes'].includes(argument)) { + if (allowedPipArguments.includes(argument)) { args.push(argument); } else if (argument.startsWith('--output-file=')) { const file = upath.parse(outputFileName).base; diff --git a/lib/modules/manager/pip-compile/readme.md b/lib/modules/manager/pip-compile/readme.md index 6118ab5303..981635be2b 100644 --- a/lib/modules/manager/pip-compile/readme.md +++ b/lib/modules/manager/pip-compile/readme.md @@ -47,3 +47,4 @@ Renovate reads the `requirements.txt` file and extracts these `pip-compile` argu - `--generate-hashes` - `--allow-unsafe` +- `--no-emit-index-url` -- GitLab