-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[setup.py] add fallback version #2
Conversation
@GregAC not sure who is the admin of this fork, but perhaps you could help me get this merged (or point me in the right direction)? so we can address lowRISC/opentitan#19401 to keep the regressions running :) |
adddafe
to
8c3d93a
Compare
CC: @rswarbrick |
@timothytrippel any idea what the CI failure is about? Sadly python packaging is not my strong suit! |
We are trying to lock down the `python-requirements.txt` file in the lowRISC/opentitan repository by adding hashes for all dependencies (including transitive dependencies), to satify OpenTitan partner organization-level requirements. To do so, we would like to generate a python-requirements.txt file with the required hashes using the `pip-compile` command from the `pip-tools` package. The way the version is detected in the `setup.py` configuration in this package is using the `use_scm_version` feature which attempts to extract the version from VCS (i.e., git) metadata. However, this requires installing the package with `pip install git+https://github.com/lowRISC/fusesoc.git@<tag>`. However, to use the `pip-compile` command to generate secure `python-requirements.txt` file (i.e., one with pinned hashes), requires installing packages directly using the HTTPS URL syntax, i.e., `pip install https://github.com/lowRISC/fusesoc/archive/refs/tags/ot-0.3.zip`, i.e., bypassing git. Unfortunately, this fails to find the version, since there is no git metadata to parse. Therefore, I updated the `setup.py` configuration to use a "fallback_version". Signed-off-by: Tim Trippel <ttrippel@google.com>
8c3d93a
to
0932ab4
Compare
Signed-off-by: Tim Trippel <ttrippel@google.com>
Sorry about that, had to dig deeper myself. Looks like it was two issues:
The changes pass now. |
Just realized this should have not been merged to the master branch, I didn't realize we were tagging the The changes from this PR have been moved to a new PR against the |
We are trying to lock down the
python-requirements.txt
file in the lowRISC/opentitan repository by adding hashes for all dependencies (including transitive dependencies), to satify OpenTitan partner organization-level requirements. To do so, we would like to generate a python-requirements.txt file with the required hashes using thepip-compile
command from thepip-tools
package.The way the version is detected in the
setup.py
configuration in this package is using theuse_scm_version
feature which attempts to extract the version from VCS (i.e., git) metadata. However, this requires installing the package withpip install git+https://github.com/lowRISC/fusesoc.git@<tag>
. However, to use thepip-compile
command to generate securepython-requirements.txt
file (i.e., one with pinned hashes), requires installing packages directly using the HTTPS URL syntax, i.e.,pip install https://github.com/lowRISC/fusesoc/archive/refs/tags/ot-0.3.zip
, i.e., bypassing git. Unfortunately, this fails to find the version, since there is no git metadata to parse.Therefore, I updated the
setup.py
configuration to use a "fallback_version".This addresses part of lowRISC/opentitan#19401.