Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: leave environment variable references as-is in requirements.txt output. #2063

Closed
metavee opened this issue Feb 27, 2024 · 10 comments
Closed

Request: leave environment variable references as-is in requirements.txt output. #2063

metavee opened this issue Feb 27, 2024 · 10 comments
Labels
enhancement Improvements to functionality logging Related to log or console output writer Related to results output writer component

Comments

@metavee
Copy link

metavee commented Feb 27, 2024

What's the problem this feature will solve?

When using private package indexes, you can supply credentials in the index URL via environment variables.

--extra-index-url https://${PRIVATE_PYPI_USER}:${PRIVATE_PYPI_PASSWORD}@my-private-pypi-index/...

If you do this in your requirements.in file, pip-compile will output the credentials into the requirements.txt file.

This makes it difficult to use pip-tools when using a private index, since ideally you could commit requirements.txt to version control without having to make any tweaks or downstream adjustments.

Describe the solution you'd like

I would like any environment variable references to appear in the output requirements.txt file, without the actual values being substituted in.

Alternative Solutions

Additional context

This could complement #1876 or make it unnecessary.
@webknjaz
Copy link
Member

Does pip itself support references to env vars in requirements files? I don't recall seeing it there...

@metavee
Copy link
Author

metavee commented Feb 28, 2024

Yes, it does.

https://pip.pypa.io/en/stable/reference/requirements-file-format/#using-environment-variables

@webknjaz
Copy link
Member

Ah, interesting. Makes sense, then. Though, personally, I'd want the constraint files to be generated without any extra options.

@chrysle chrysle added logging Related to log or console output enhancement Improvements to functionality writer Related to results output writer component labels Feb 28, 2024
@metavee
Copy link
Author

metavee commented Feb 28, 2024

Is there an easy alternative?

I know pip-compile will pass through pip arguments such as the index URL, but then that shifts the credentials to the pre-commit config, which is also in version control and doesn't natively support environment variable substitutions.

@webknjaz
Copy link
Member

I'm not sure. Does pip support ~/.netrc?

@WhyNotHugo
Copy link
Member

WhyNotHugo commented Feb 28, 2024
edited
Loading

It does: https://stackoverflow.com/a/55978589/107510

machine pypi.example.com
    login johndoe
    password changeme

@WhyNotHugo
Copy link
Member

As per the above link, it also seems to be possible to use environment variables in pip.conf.

@webknjaz
Copy link
Member

Case closed, then?

@metavee
Copy link
Author

metavee commented Feb 29, 2024

Yeah, I guess so! It seems like there is a reasonably safe way to use custom indexes without revealing secrets in the files.

I think there is still a minor footgun since it's surprising, but maybe #1876 is the easy way to address that.

@metavee metavee closed this as completed Feb 29, 2024
@metavee metavee closed this as not planned Won't fix, can't repro, duplicate, stale Feb 29, 2024
@webknjaz
Copy link
Member

Yep, that sounds like a reasonable request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Improvements to functionality logging Related to log or console output writer Related to results output writer component
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@webknjaz @WhyNotHugo @metavee @chrysle