Add support for environment variables in package dependencies. #9090
Labels
resolution: no action
When the resolution is to not do anything
Comments
|
#8828 looks very related. |
|
Not really. Environment variables are already supported in requirements files (which #8828 enhances). This is about package dependencies i.e. things in a package’s metadata. I do not think we should support this since it essentially opens a door for potential attacks to silently obtain system information. |
uranusjr
added
the
resolution: no action
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What's the problem this feature will solve?
We are using our private GitHub repositories, which are password (token) protected. These tokens are represented by env. variable(s). We cannot hardcode them in out code base.
So package dependency looks like:
my-project @ git+https://${MY_CREDENTIALS}@github.com/my-team/[email protected]
Now, when this type of dependency is installed from top-level requirements file,
env variable is expanded with no problems. But if package being installed has itself
the same type of dependency, its env variables are left untouched.
This leads to pip failure to install.
Describe the solution you'd like
I would like for env variables to be expanded in all dependencies being processed by pip,
at least in urls being used.
The problem description above is pretty much our real world use case - we have nested private
dependencies in our code structure, and these are protected by tokens which we represent with environment variables.
Alternative Solutions
Well, I guess we could try to play around with git configuration files specifying credentials there,
but that leads to other problems in our setup.
Additional context
The text was updated successfully, but these errors were encountered: