Merge branch 'reproducibility/pip-tools-pep517-build-constraints' into devel

webknjaz · webknjaz · commit b31d81cc8d96 · 2022-07-29T16:47:27.000+02:00
This patch attempts to integrate a forgotten constraints file into the tox setup. The idea is to make PEP 517 builds reproducible. The python-build tool (PEP 517 front-end) parses the build requirements from `pyproject.toml` and `pip install`s them into an ephemeral temporary virtualenv. Unfortunately, this tool does not expose any interface to pin those requirements. But the underlying tool, pip, supports setting CLI options through env vars. So the `--constraint` option corresponds to `PIP_CONSTRAINT` env var which this change relies on. The constraints file can be regenerated as follows: $ python -c 'from pathlib import Path; from sys import argv; from tomli import loads; print("\n".join(loads(Path(argv[1]).read_text())["build-system"].get("requires", [])))' pyproject.toml | python3 -m piptools compile --allow-unsafe --generate-hashes --strip-extras --output-file requirements-build.txt - This change temporarily disables including hashes into the constraints file per pypa/pip#9243. It also sticks to generating the pins under the lowest-supported Python version which is Python 3.6 to address pypa/pip#11321.
diff --git a/requirements-build.in b/requirements-build.in
diff --git a/requirements-build.txt b/requirements-build.txt
@@ -1,47 +1,32 @@
 #
-# This file is autogenerated by pip-compile
+# This file is autogenerated by pip-compile with python 3.9
 # To update, run:
 #
-#    pip-compile --generate-hashes --output-file=requirements-build.txt requirements-build.in
+#    pip-compile --allow-unsafe --output-file=requirements-build.txt --strip-extras -
 #
-cython==0.29.30 \
-    --hash=sha256:019d330ac580b2ca4a457c464ac0b8c35009d820ef5d09f328d6e31a10e1ce89 \
-    --hash=sha256:0b83a342a071c4f14e7410568e0c0bd95e2f20c0b32944e3a721649a1357fda4 \
-    --hash=sha256:0cd6c932e945af15ae4ddcf8fdc0532bda48784c92ed0a53cf4fae897067ccd1 \
-    --hash=sha256:1e078943bbde703ca08d43e719480eb8b187d9023cbd91798619f5b5e18d0d71 \
-    --hash=sha256:20778297c8bcba201ca122a2f792a9899d6e64c68a92363dd7eb24306d54d7ce \
-    --hash=sha256:2235b62da8fe6fa8b99422c8e583f2fb95e143867d337b5c75e4b9a1a865f9e3 \
-    --hash=sha256:28db751e2d8365b39664d9cb62dc1668688b8fcc5b954e9ca9d20e0b8e03d8b0 \
-    --hash=sha256:3993aafd68a7311ef94e00e44a137f6a50a69af0575ebcc8a0a074ad4152a2b2 \
-    --hash=sha256:3d0239c7a22a0f3fb1deec75cab0078eba4dd17868aa992a54a178851e0c8684 \
-    --hash=sha256:5183356c756b56c2df12d96300d602e47ffb89943c5a0bded66faca5d3da7be0 \
-    --hash=sha256:58d2b734250c1093bc69c1c3a6f5736493b9f8b34eb765f0a28a4a09468c0b00 \
-    --hash=sha256:5a8a3709ad9343a1dc02b8ec9cf6bb284be248d2c64af85464d9c3525eec74a5 \
-    --hash=sha256:5c7cfd908efc77306ddd41ef07f5a7a352c9205ced5c1e00a0e5ece4391707c4 \
-    --hash=sha256:5f2dae7dd56860018d5fd5032a71f11fdc224020932b463d0511a1536f27df85 \
-    --hash=sha256:60d370c33d56077d30e5f425026e58c2559e93b4784106f61581cf54071f6270 \
-    --hash=sha256:6b389a94b42909ff56d3491fde7c44802053a103701a7d210dcdd449a5b4f7b4 \
-    --hash=sha256:71fd1d910aced510c001936667fc7f2901c49b2ca7a2ad67358979c94a7f42ac \
-    --hash=sha256:786ee7b0cdb508b6de64c0f1f9c74f207186dfafad1ef938f25b7494cc481a80 \
-    --hash=sha256:7eff71c39b98078deaad1d1bdbf10864d234e2ab5d5257e980a6926a8523f697 \
-    --hash=sha256:80a7255ad84620f53235c0720cdee2bc7431d9e3db7b3742823a606c329eb539 \
-    --hash=sha256:88c5e2f92f16cd999ddfc43d572639679e8a057587088e627e98118e46a803e6 \
-    --hash=sha256:8e08f18d249b9b65e272a5a60f3360a8922c4c149036b98fc821fe1afad5bdae \
-    --hash=sha256:9462e9cf284d9b1d2c5b53d62188e3c09cc5c7a0018ba349d99b73cf930238de \
-    --hash=sha256:9826981308802c61a76f967875b31b7c683b7fc369eabaa6cbc22efeb12c90e8 \
-    --hash=sha256:9f1fe924c920b699af27aefebd722df4cfbb85206291623cd37d1a7ddfd57792 \
-    --hash=sha256:a30092c6e2d24255fbfe0525f9a750554f96a263ed986d12ac3c9f7d9a85a424 \
-    --hash=sha256:abcaf99f90cddc0f53600613eaafc81d27c4ac0671f0df8bce5466d4e86d54a1 \
-    --hash=sha256:acb72e0b42079862cf2f894964b41f261e941e75677e902c5f4304b3eb00af33 \
-    --hash=sha256:b17639b6a155abaa61a89f6f1323fb57b138d0529911ca03978d594945d062ba \
-    --hash=sha256:c299c5b250ae9f81c38200441b6f1d023aeee9d8e7f61c04001c7437181ccb06 \
-    --hash=sha256:c79685dd4631a188e2385dc6a232896c7b67ea2e3e5f8b5555b4b743f475d6d7 \
-    --hash=sha256:d0859a958e0155b6ae4dee04170ccfac2c3d613a7e3bee8749614530b9e3b4a4 \
-    --hash=sha256:d0f34b44078e3e0b2f1be2b99044619b37127128e7d55c54bbd2438adcaf31d3 \
-    --hash=sha256:d166d9f853db436f5e10733a9bd615699ddb4238feadcbdf5ae50dc0b18b18f5 \
-    --hash=sha256:d52d5733dcb144deca8985f0a197c19cf71e6bd6bd9d8034f3f67b2dea68d12b \
-    --hash=sha256:e29d3487f357108b711f2f29319811d92166643d29aec1b8e063aad46a346775 \
-    --hash=sha256:e36755e71fd20eceb410cc441b7f2586654c2edb013f4663842fdaf60b96c1ca \
-    --hash=sha256:e5cb144728a335d7a7fd0a61dff6abb7a9aeff9acd46d50b886b7d9a95bb7311 \
-    --hash=sha256:e605635a92ae862cb46d84d1d6883324518f9aaff4a71cede6d61df20b6a410c \
-    --hash=sha256:ffa8c09617833ff0824aa7926fa4fa9d2ec3929c67168e89105f276b7f36a63e
+cython==0.29.30
+    # via -r -
+expandvars==0.9.0
+    # via -r -
+packaging==21.3
+    # via setuptools-scm
+pyparsing==3.0.9
+    # via packaging
+setuptools-scm==6.4.2
+    # via -r -
+setuptools-scm-git-archive==1.4
+    # via -r -
+toml==0.10.2
+    # via -r -
+tomli==1.2.3
+    # via setuptools-scm
+typing-extensions==4.3.0
+    # via setuptools-scm
+wheel==0.37.1
+    # via -r -
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==59.6.0
+    # via
+    #   -r -
+    #   setuptools-scm
diff --git a/tox.ini b/tox.ini
@@ -32,6 +32,7 @@ commands =
 [testenv]
 allowlist_externals =
   {env:CATCHSEGV_BINARY:}
+  env
   sh
 isolated_build = true
 usedevelop = false
@@ -76,6 +77,8 @@ commands_pre =
     -f {env:PEP517_OUT_DIR} \
     --no-index \
     ansible-pylibssh
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 
@@ -106,13 +109,19 @@ commands_pre =
     -f {toxinidir}/.github/workflows/.tmp/deps \
     --no-index \
     ansible-pylibssh
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 
 [dists]
+install_command =
+  env PIP_CONSTRAINT= \
+    {envpython} -m pip install {opts} {packages}
 setenv =
   {[testenv]setenv}
   PEP517_OUT_DIR = {env:PEP517_OUT_DIR:{toxinidir}{/}dist}
+  PIP_CONSTRAINT = {toxinidir}/requirements-build.txt
 
 
 [testenv:cleanup-dists]
@@ -123,6 +132,8 @@ description =
 usedevelop = false
 skip_install = true
 deps =
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 commands =
@@ -140,6 +151,8 @@ usedevelop = false
 skip_install = true
 deps =
   build ~= 0.7.0
+install_command =
+  {[dists]install_command}
 passenv =
   PEP517_BUILD_ARGS
 setenv =
@@ -165,10 +178,13 @@ deps =
   # NOTE: v20 added support for backend-path
   # NOTE: in pyproject.toml and we use it
   pip >= 20
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 commands =
-  {envpython} -m pip wheel \
+  env PIP_CONSTRAINT= \
+    {envpython} -m pip wheel \
     --no-deps \
     --wheel-dir "{env:PEP517_OUT_DIR}" \
     "{toxinidir}"
@@ -187,6 +203,8 @@ usedevelop = false
 skip_install = true
 deps =
   delocate
+install_command =
+  {[dists]install_command}
 setenv =
   {[dists]setenv}
 commands =
@@ -216,6 +234,8 @@ depends =
   delocate-macos-wheels
 deps =
   twine
+install_command =
+  {[dists]install_command}
 usedevelop = false
 skip_install = true
 setenv =
