Chore: add pip metadata file to app container

[thekaveman]

Runs pip freeze pipdeptree and puts the results in benefits/static/requirements.txt before building and publishing the app image.

Similar to having the sha.txt, this will help confirm changes and debug issues with Python package updates.

Reviewing this PR

I ran the Deploy Action manually for this branch to produce an image using the updated workflow, you can see in the logs the results of the updates.

That image is here: https://github.com/cal-itp/benefits/pkgs/container/benefits/129491917?tag=pip-freeze

To test that this works, pull the image locally:

$ docker pull ghcr.io/cal-itp/benefits:pip-freeze
pip-freeze: Pulling from cal-itp/benefits
Digest: sha256:79741236bcd586bf56e052af6c38ad92cce138d47d28a0fe55d032e1d597a0af
Status: Image is up to date for ghcr.io/cal-itp/benefits:pip-freeze
ghcr.io/cal-itp/benefits:pip-freeze

Then run a container based on that image, using the -P flag to ensure the port is bound for traffic from your host --> container:

$ docker run -P ghcr.io/cal-itp/benefits:pip-freeze
+ bin/init.sh
+ rm -f django.db
+ python manage.py migrate
# ... etc benefits startup

Now visit localhost:PORT/static/requirements.txt for the dynamic port that Docker assigned, and you should see the list of requirements. Take note that the version specified for benefits is tied to the commit SHA (which is the same as the HEAD from this PR): 0a961c2e0d59befb1d5195eb7a5d3a1310c81a5b

[machikoyasuda]

Was able to get this running locally 👍

Originally got this error:

machikoyasuda@compiler benefits % docker pull ghcr.io/cal-itp/benefits:pip-freeze
pip-freeze: Pulling from cal-itp/benefits
no matching manifest for linux/arm64/v8 in the manifest list entries

But then I clicked on the OS/Arch tab to find a better pull URL for linux/amd64:

and that worked fine for me.

Just out of curiosity, why not save this file somewhere that's read by Git, like how Gemfile.lock/package-lock.json/yarn.lock files are?

[thekaveman]

@machikoyasuda

Just out of curiosity, why not save this file somewhere that's read by Git, like how Gemfile.lock/package-lock.json/yarn.lock files are?

Good question! So we do save a representation of our dependencies in the pyproject.toml here: https://github.com/cal-itp/benefits/blob/dev/pyproject.toml#L9

This is slightly different, in that we are saving the complete runtime environment, which includes e.g. packages that were installed as dependencies of our dependencies. It also includes the exact version of benefits itself so we know at runtime in dev, test, prod which one is out there (though this is sort of duplicative of the sha.txt).

This would have been more helpful a few weeks ago when we were doing all those package updates across benefits, docker-python-web etc., but now it will be there for next time.

---

As I was typing the above reply, I realized it might be more useful to see the pipdeptree output instead of pip freeze, which shows the hierarchy much more clearly:

benefits==2023.9.1
├── Authlib [required: ==1.2.1, installed: 1.2.1]
│   └── cryptography [required: >=3.2, installed: 41.0.4]
│       └── cffi [required: >=1.12, installed: 1.15.1]
│           └── pycparser [required: Any, installed: 2.21]
├── Django [required: ==4.2.5, installed: 4.2.5]
│   ├── asgiref [required: >=3.6.0,<4, installed: 3.7.2]
│   └── sqlparse [required: >=0.3.1, installed: 0.4.4]
├── django-csp [required: ==3.7, installed: 3.7]
│   └── Django [required: >=1.8, installed: 4.2.5]
│       ├── asgiref [required: >=3.6.0,<4, installed: 3.7.2]
│       └── sqlparse [required: >=0.3.1, installed: 0.4.4]
├── eligibility-api [required: ==2023.9.1, installed: 2023.9.1]
│   ├── jwcrypto [required: >=1.5, installed: 1.5.0]
│   │   ├── cryptography [required: >=3.4, installed: 41.0.4]
│   │   │   └── cffi [required: >=1.12, installed: 1.15.1]
│   │   │       └── pycparser [required: Any, installed: 2.21]
│   │   └── Deprecated [required: Any, installed: 1.2.14]
│   │       └── wrapt [required: >=1.10,<2, installed: 1.15.0]
│   └── requests [required: >=2.31.0, installed: 2.31.0]
│       ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
│       ├── charset-normalizer [required: >=2,<4, installed: 3.2.0]
│       ├── idna [required: >=2.5,<4, installed: 3.4]
│       └── urllib3 [required: >=1.21.1,<3, installed: 2.0.5]
├── requests [required: ==2.31.0, installed: 2.31.0]
│   ├── certifi [required: >=2017.4.17, installed: 2023.7.22]
│   ├── charset-normalizer [required: >=2,<4, installed: 3.2.0]
│   ├── idna [required: >=2.5,<4, installed: 3.4]
│   └── urllib3 [required: >=1.21.1,<3, installed: 2.0.5]
├── sentry-sdk [required: ==1.31.0, installed: 1.31.0]
│   ├── certifi [required: Any, installed: 2023.7.22]
│   └── urllib3 [required: >=1.26.11, installed: 2.0.5]
└── six [required: ==1.16.0, installed: 1.16.0]
gunicorn==21.2.0
└── packaging [required: Any, installed: 23.1]
pip==23.2.1
pipdeptree==2.13.0
setuptools==65.5.1
wheel==0.41.2