[python] add hashes to python-requirements.txt
#19531
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timothytrippel
requested review from
milesdai,
rswarbrick and
mundaym
as code owners
|
Appologize for the large PR size, it is mostly auto-generated text. |
Closed
7 tasks
timothytrippel
commented
Aug 25, 2023
timothytrippel
force-pushed
the
add-hashes-to-python-packages
branch
2 times, most recently
from
77a0505 to
8fee847
Compare
Move the `python-requirements.txt` to a `python-requirements.in` file to prepare for adding a complete `python-requirements.txt` with pinned versions and hashes for compliance with partner software supply chain requirements. Signed-off-by: Tim Trippel <ttrippel@google.com>
timothytrippel
force-pushed
the
add-hashes-to-python-packages
branch
7 times, most recently
from
24083a4 to
e18ef86
Compare
cfrantz
approved these changes
Sep 12, 2023
To comply with partner organization python package supply chain requirements we add hashes for all python packages (including all transitive dependencies). To do so we: 1. move the existing `python-requirements.txt` file to `python-requirements.in`, as this will become the input to the tool (i.e., `pip-compile`) that generates the `python-requirements.txt` file we check in, 2. add `pip-tools` as a project dependency, it contains the `pip-compile` tool, 3. add `importlib-resources` and `pkgutil_resolve_name` dependencies as these do not seem to be pinned by the `jsonschema` package and causes CI errors when pinning hashes, 4. change the git VCS link references to fusesoc, edalize, and chipwhisperer packages to use plain HTTPS URLs to github hosted zip archives (so `pip-compile` can generate the hashes), and 5. autogenerate a `python-requirements.txt` file with `pip-compile --generate-hashes python-requirements.in` and check it into the repo. This partially addresses lowRISC#19401. Signed-off-by: Tim Trippel <ttrippel@google.com>
This adds a CI check to ensure the auto-generated `python-requirements.txt` file checked-in does not get stale. This partially addresses lowRISC#19401. Signed-off-by: Tim Trippel <ttrippel@google.com>
To fix lowRISC#19401, we have a new process for adding Python packages to the project. Signed-off-by: Tim Trippel <ttrippel@google.com>
timothytrippel
force-pushed
the
add-hashes-to-python-packages
branch
from
e18ef86 to
5082568
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes #19401.