From 30765fbd1e8fb1dd30bb94baff1cb4eca943c58c Mon Sep 17 00:00:00 2001
From: Christoph Brand <christoph@brand.rest>
Date: Wed, 4 May 2022 00:35:32 +0200
Subject: [PATCH] feat(manager): no-emit-index-url in pip compile (#15367)

* feat(manager): no-emit-index-url in pip compile

Add support for no-emit-index-url to avoid sharing
confident credentials in the generated requirements.txt
file.

* chore: linting fixes

* chore: update docs

* chore: code review fixes

Co-authored-by: Rhys Arkins <rhys@arkins.net>
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
---
 .../pip-compile/__fixtures__/requirementsWithHashes.txt    | 2 +-
 lib/modules/manager/pip-compile/artifacts.spec.ts          | 2 +-
 lib/modules/manager/pip-compile/artifacts.ts               | 7 ++++++-
 lib/modules/manager/pip-compile/readme.md                  | 1 +
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt b/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt
index 38ca9ec1db..77b7f5716c 100644
--- a/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt
+++ b/lib/modules/manager/pip-compile/__fixtures__/requirementsWithHashes.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with python 3.9
 # To update, run:
 #
-#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements.txt requirements.in
 #
 attrs==21.2.0 \
     --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \
diff --git a/lib/modules/manager/pip-compile/artifacts.spec.ts b/lib/modules/manager/pip-compile/artifacts.spec.ts
index efe029cc87..a78065efb7 100644
--- a/lib/modules/manager/pip-compile/artifacts.spec.ts
+++ b/lib/modules/manager/pip-compile/artifacts.spec.ts
@@ -182,7 +182,7 @@ describe('modules/manager/pip-compile/artifacts', () => {
           'subdir/requirements.txt'
         )
       ).toBe(
-        'pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in'
+        'pip-compile --allow-unsafe --generate-hashes --no-emit-index-url --output-file=requirements.txt requirements.in'
       );
     });
 
diff --git a/lib/modules/manager/pip-compile/artifacts.ts b/lib/modules/manager/pip-compile/artifacts.ts
index 7a7f8d098b..9eb6843a19 100644
--- a/lib/modules/manager/pip-compile/artifacts.ts
+++ b/lib/modules/manager/pip-compile/artifacts.ts
@@ -47,6 +47,11 @@ function getPipToolsConstraint(config: UpdateArtifactsConfig): string {
 const constraintLineRegex = regEx(
   /^(#.*?\r?\n)+# {4}pip-compile(?<arguments>.*?)\r?\n/
 );
+const allowedPipArguments = [
+  '--allow-unsafe',
+  '--generate-hashes',
+  '--no-emit-index-url',
+];
 
 export function constructPipCompileCmd(
   content: string,
@@ -58,7 +63,7 @@ export function constructPipCompileCmd(
   if (headers?.groups) {
     logger.debug({ header: headers[0] }, 'Found pip-compile header');
     for (const argument of split(headers.groups.arguments)) {
-      if (['--allow-unsafe', '--generate-hashes'].includes(argument)) {
+      if (allowedPipArguments.includes(argument)) {
         args.push(argument);
       } else if (argument.startsWith('--output-file=')) {
         const file = upath.parse(outputFileName).base;
diff --git a/lib/modules/manager/pip-compile/readme.md b/lib/modules/manager/pip-compile/readme.md
index 6118ab5303..981635be2b 100644
--- a/lib/modules/manager/pip-compile/readme.md
+++ b/lib/modules/manager/pip-compile/readme.md
@@ -47,3 +47,4 @@ Renovate reads the `requirements.txt` file and extracts these `pip-compile` argu
 
 - `--generate-hashes`
 - `--allow-unsafe`
+- `--no-emit-index-url`
-- 
GitLab