ci: doc: pin Python dependencies to specific versions/hashes #87311
Conversation
kartben
force-pushed
the
pin_documentation_py_reqs
branch
from
2fe3bd0 to
04b921b
Compare
kartben
force-pushed
the
pin_documentation_py_reqs
branch
from
04b921b to
2bd6444
Compare
|
The job - name: install-pip
run: |
pip install -r doc/requirements.txt
pip install west==${WEST_VERSION}
pip install cmake==${CMAKE_VERSION}Which has a different construct for the package versions, what's the rationale here, and why can't we simply add these in |
doc/requirements.txt
Outdated
| @@ -1,26 +1,722 @@ | |||
| # DOC: used to generate docs | |||
| # | |||
| # This file is autogenerated by pip-compile with Python 3.13 | |||
There was a problem hiding this comment.
what version are we using in CI? Should this match the same version used in CI?
There was a problem hiding this comment.
I'm not fluent in ruby, but AFAICS dependabot parses this line to match the python version.
Version parsing:
https://github.com/dependabot/dependabot-core/blob/0405a99f095c792385a61be4f0f11911b81a86e8/python/lib/dependabot/python/file_parser/python_requirement_parser.rb#L92
Matching:
https://github.com/dependabot/dependabot-core/blob/0405a99f095c792385a61be4f0f11911b81a86e8/python/lib/dependabot/python/language_version_manager.rb#L90
This kind of information lacks in the documentation it seems.
There was a problem hiding this comment.
the question is unrelated to dependabot , wondering if this would be a problem to generate hashes using one version and to be using a different version when installing the packages, i.e. there might be incompatibilities.
There was a problem hiding this comment.
I think we're good. The version is there to help dependabot generate requirements.txt files that are "consistent" (i.e. no unnecessary diffs). The actual hashes have nothing to do with it AFAICT and any pip 8+ version will be happy with the format of the file (https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode)
There was a problem hiding this comment.
re-gen'd the requirements.txt with python 3.12 (Python version used in our docker image)
Yeah I need to look into this as it seems to actually be failing anyway
Yeah this needs some cleanup. Adding cmake to the requirements file would likely be problematic for folks install dependencies locally and already having CMake? I will install it as a Linux package |
Add a check that we're installing a legit Doxygen binary Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Use secure install for ̦Python documentation dependencies. Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Removed coverxygen installation from the CI workflow and added it to the requirements.txt/.in files and make it easier for anyone to potentially use it locally. Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Added a new configuration for pip dependencies in the doc/ Groups all updates into one PR. Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Moved away from a texlive docker container to a vanilla ubuntu runner so that we can better track the actual dependencies a user needs to build the PDF rather than relying on the gigabytes of random stuff that the texlive docker container pulls in. Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
We get West from the action-zephyr-setup action Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
kartben
force-pushed
the
pin_documentation_py_reqs
branch
from
2bd6444 to
79cb011
Compare
|
Ended up doing lots of houskeeping on the PDF job so as to get rid of the texlive docker container we were using so that we actually install the required packages and therefore cross-check that our documentation has up-to-date instructions w.r.t what people might need to install to build the PDF locally |
require hashes in doc ci workflow Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
|
Just added one more extra flag that makes extra sure hashes are mandatory (and makes scorecard happy as well) |
Use secure install for Python documentation dependencies.