Skip to content

compile_pip_requirements doesn't work with dependabot out-of-the-box #470

Closed
#471
Closed
compile_pip_requirements doesn't work with dependabot out-of-the-box#470
#471
@joshwilson-theorem

Description

@joshwilson-theorem
joshwilson-theorem
opened on May 12, 2021

🚀 feature request

Relevant Rules

Add a feature to compile_pip_requirements

Description

Consider the following setup:

WORKSPACE:

load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")

git_repository(
    name = "rules_python",
    commit = "ef4d735216a3782b7c33543d82b891fe3a86e3f3",
    remote = "https://github.com/bazelbuild/rules_python",
    shallow_since = "1620506974 -0700",
)

load("@rules_python//python/pip_install:repositories.bzl", "pip_install_dependencies")

pip_install_dependencies()

BUILD:

load("@rules_python//python/pip_install:requirements.bzl", "compile_pip_requirements")

compile_pip_requirements(
    name = "requirements",
    requirements_in = "requirements.in",
    requirements_txt = "requirements.txt",
)

requirements.in:

attrs==21.2.0

requirements.txt:

#
# This file is autogenerated by pip-compile
# To update, run:
#
#    bazel run //:requirements.update
#
attrs==21.2.0 \
    --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \
    --hash=sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb
    # via -r ./requirements.in

This is what makes bazel test //:requirements_test happy. But running pip-compile directly from repo root gives:

$ CUSTOM_COMPILE_COMMAND="bazel run //:requirements.update" pip-compile requirements.in --generate-hashes
#
# This file is autogenerated by pip-compile
# To update, run:
#
#    bazel run //:requirements.update
#
attrs==21.2.0 \
    --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \
    --hash=sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb
    # via -r requirements.in

The difference being that the Bazel version has

# via -r ./requirements.in

and the direct version has

# via -r requirements.in

(Though you can get the same behavior by passing ./requirements.in.) The reason this matters is that a tool like dependabot (https://dependabot.com/) generates the requirements.in version, so you can't use dependabot directly with compile_pip_requirements.

Describe the solution you'd like

Have compile_pip_requirements generate a lock file without the ./ (or have an option to do that).

Describe alternatives you've considered

You can run a Github action to fix up the dependabot commit to the format compile_pip_requirements wants.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions